So why doesn't Apple use some S/N associated PK authorization when pairing with the iphone? They seem to be doing things like this for internal components as far as I understand.
Internal components work because they are added at the same time the software has been loaded on the phone. Airpods are added after the fact and can change later. This means scam products can just bit for bit copy the signature and serial number from genuine airpods.
The only detection method then would be Apple noticing multiple products have the same S/N which I guess is how they warn users of fake products these days.
The airpod could send the phone a public key + apple's signature for that key, then the phone could do challenge-response against that key. That would mean the scammers would have to exfiltrate the private key from a legit pair of airpods, which would hopefully be much more expensive
The people who fall for it and don't return them likely have no idea. They'll probably just show up as Bluetooth headphones and have none of the Airpods features that the buyer doesn't even know exist
The fake ones somehow do have all the proprietary airpod features. The main difference is things like the sound quality and reliability. Without a comprehensive test, it's effectively impossible to spot fake airpods before Apple added the warning in a software update.
Clearly fake AirPods would pair like a regular Bluetooth headset, not like real AirPods where Apple shows the rotating case and provides the special AirPods only features.
Some fake AirPods do pair as AirPods, not generic Bluetooth devices. However Apple have been adding additional checks in iOS to root out the fake ones:
