This is an interesting question.
The short answer is:
The AirTags (and recent Tiles) send out some BLE signal but that signal changes from time to time so it cannot be used straigthforwardly for identifying the device.
The long answer is:
A beacon is a simple device that constantly emits the same identifier as a Bluetooth signal. Furthermore, all communication with a beacon happens “in the clear” and isn’t encrypted. Anyone can listen to your beacon and captures your beacons’ identifier.
Having captured the information, an attacker may clone your beacons. Cloning consists of copying your beacon configuration and putting it into another beacon to mislead your Homey.
Hasn’t any manufacturer fixed this security issue?
The solution is to use a pseudo-random identifier that changes periodically. Only authorized apps in possession of a special key can resolve the pseudo-random to a “real” one.
The solution is conceptually simple but it is difficult to put it into practice.
A quite complex centralized infrastructure is needed: the core is a public resolver service for registered beacons; it involves a registration process for sharing an encryption key between service and beacon. The registration process involves an authentication and authorization process (only authorized users can register their beacons; only authorized apps can resolve the real identity of a previously registered beacon).
The beacon itself needs a special firmware; it must store in a secure way the shared encryption key; it must implement a time counter for rotating the advertised pseudo-random identifier; the time counter must be able to recover from a power loss condition.
Today, only a few manufacturers provide secure beacons: Tile (since 2019) and Apple with AirTag (since 2021); these are “closed” solutions. Kontakt.io provides an “open” solution with a public SDK and a public discover service that works with their beacons. In 2016 Google proposed the Eddystone EID “fully open” solution but recently the service has been downsized several times (too complex for manufacturer, developers and users?)
To sum up, today the Beacon App is not able to provide a “secure” solution. If Beacon App users were interested, the only way forward would be the Kontakt.io beacons.
