AirTag hacked and reprogrammed by security researcher

13

Comments

  • Reply 41 of 62
    nicholfdnicholfd Posts: 608member
    Soli said:
    ppietra said:
    Soli said:
    ppietra said:
    Xed said:
    ppietra said:
    Xed said:
    ppietra said:
    Xed said:
    ppietra said:
    Xed said:
    ppietra said:
    Xed said:
    nicholfd said:
    Xed said:
    rob53 said:
    So what. Someone who knows what they're doing can do the same thing to every computer ever made. The trick is to make these changes without being obvious. All those jumper wires are obvious. I'd like to see him put it back into the enclosure and try and pass it off as an unmodified AirTag. I'm still waiting for mine and this guy wastes "multiple" AirTags. 
    As the article mentioned, he can flash (i.e.: rewrite) the microcontroller and the wires are only used for power.

    This is an impressive accomplishment for a product that has been out for a week, and to neither see nor acknowledge this blows my mind.

    We have no idea what else could be done in the future. Nefarious users could figure out was to have it bypass sending or receiving data from Apple altogether, which could make this a very useful tool for certain people.

    While I doubt we'll see many doing this, that's not the point for even one person using these in an unintended way for evil is worth protecting against, so I hope Apple can push a way to protect the HW soon.
    The AirTag sends nothing to Apple.  The Apple iPhone/iPad/AppleWatch(?) picks up a unique BT ID, and THAT device talks to Apple.  All the AirTag does is broadcast its ID via BlueTooth for other Apple devices to pick up.

    The AirTag receives nothing from Apple - it only receives data from Apple devices (probably only the device it is paired with.)
    You really need to read up on how these tags (and others like it) work. They very clearly send data to Apple's servers as you can easily verify from your own AirTag or any number of articles and videos detailing how these work.

    To put another way, these do function as ad-hoc devices with BT and UWB when you're within range, but they also work over the internet with your iCloud account so you can locate these trackers when you aren't in range by having them link to other devices securely which will forward their location to Apple which will let you know where they were found.
    That is not how AirTags work. AirTags don’t connect to any other device other than the owner’s iPhone, neither are AirTags responsible for sending information to servers.
    AirTags only broadcast a Bluetooth ID for other Apple’ devices to see. It’s the iPhones and iPads in the network that communicate with Apple servers, and once there is a request for an AirTag they probably receive the associated Public Key to encrypt its location so that the owner can discover it. 
    Just pay attention to the fact that devices cannot establish a Bluetooth connection without first pairing,  and strange devices don’t pair without user consent... Not only would it be a very high security risk to create ad-hoc connections with strange devices, it would also easily saturate bluetooth connections making it impossible for people to use their own devices and increasing power consumption unnecessarily.
    Of course they do. That's a key to how they securely send their location to your device when you're not within BT range, just like with Tile, Trackr, et al. This isn't a difficult concept to understand. Just because the device isn't showing up on another person's phone doesn't mean the device isn't connecting to the internet via said device.

    They will even connect to Android devices which allows AirTag to be scanned which will pop up an alert on the screen that includes a web link (as this researcher did in the article). If it's marked as lost, you'll see instructions on how to contact the rightful owner and get the item back to them.
    No they don’t. If you knew anything about how bluetooth works on an iPhone, you would know that there is no connection over bluetooth without pairing, and devices only pair with user authorisation.
    The location is securely sent by other iPhones not by the AirTag. The iPhone sees the AirTag "ID", the iPhone knows its own location, the iPhone communicates to Apple encrypted (using the AirTag broadcasted Public Key) location. It is a concept quite easy to understand, that has been around for a few years to find offline Phones!!! For other people devices the AirTag is passive, non connected.
    AirTags don’t connect to Android devices. Android devices can scan the NFC chip and get a link to a website, and that is it. Anything else after that doesn’t involve the AirTag, nor does it connect an AirTag to a server.
    Being passive doesn't mean it doesn't connect. It's a signal that is going to a device which transmits its ID to a server which then forwards it's ID to its owner along with its location. If it didn't do this there would be such thing as AirTag or Tile. In no comment did I say that it pairs with another device.

    Additionally, and yet again, there are other wireless technologies in which more than just iPhones can retrieve data from AirTags. That is very clearly a wireless transmission of data from one device to another and to say otherwise is foolish.
    OMG!!! being passive means it doesn’t connect because that is my own description and that is what I meant. There is no signal going through another device! The AirTag is only broadcasting an ID (an alphanumeric string) that anyone can see! It doesn’t interact with other iPhones!!! 
    "In no comment did I say that it pairs with another device":
    In several comments you mention that the AirTag connects to the internet via another device!!! You can only use another device’s internet if your pair the devices!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! You actually mention a lot the idea that an hacked AirTag could use these devices (iPhones) to connect to servers not from Apple... so clearly you thought that the AirTag could behave in far more complex ways than it actually does.
    In networking a connection is when two devices successfully communicate with each other. This does not mean that communication has to be both ways or in the complex ways in which you are obviously assuming. The fact that you admit that a URL is being sent from one device to read by another means they can communicate wirelessly. To conflate with with how you pair headphone with a device.
    Seriously!????????????? Are you trolling me?
    To communicate with each other both need to communicate with each other... seems a very simple concept to grasp! And there are protocols that need to be followed to establish a bluetooth connection. Broadcasting a string is not a bluetooth connection!
    Besides the fact that the NFC has nothing to do with Find My network, the NFC chip scanning does not establish any kind of network connection in any way similar with how you pair an headphone
    Are you trolling me?

    One last time JIC you're really not getting it. Scenario: Someone with aniPhone X finds a lost AirTag. They try to use it to determine who lost it. Will they be able to have the AirTag connect to their device so the AirTag can communicate the URL to their iPhone? No, because it doesn't have the NFC HW, but iPhone 11's and newer can, as well as countless other devices made by other vendors.
    you should study what NFC scanning entices and what is a network connection! But hey, at least you already forgot all about bluetooth and connecting to the internet.
    Networking may be complex in execution but the foundations are universal. Nodes must always connect to other nodes before information and resources can be shared. Networks follow protocols, which define how communications are sent and received. It is impossible to communicate if you're not speaking the same language, which in networking means using compatible protocols and with wireless also requires compatible frequency ranges.

    Take for example the GPS in a plane or car that connects with various satellites without the satellites having any indication of the devices that are connecting to them. There's no handshake involved but the devices are still connecting and then retrieving location and timing information from the satellites. Without the connection to the sats there is no way to triangulate.
    You don’t connect to GPS satellites, you only collect data that is broadcasted by different satellites... It is the device that then calculates its own location based on the data that was broadcasted. Why are people confusing non-network broadcasting with connection?
    It's all networking and it's still a connection that has to be established to allow data to be passed. If you tune in the correct FM frequency to a local radio station you are connecting to that radio station and will then be able to receive their Tx..

    Ask yourself this question. If a computer is not connected to a network how will they obtain an IP address from a DHCP server? Who is there to listen and respond to their request if they aren't connected to that work? Hopefully that makes sense. Now ask yourself the same thing for trackers. If a tracker is broadcasting and there are no nodes that can understand what they are saying how will there message be relayed? Don't iPhones have to be using the same protocols and frequencies to be able to read the IDs and pass them along? That's the connection, just as basic as a packet using UDP and a particular port number to get a message to a server. It's not sexy, but it works most of time.
    JUST STOP!

    BT LE & NFC are not networks or network protocols.  

    You can get many free apps that listen for BT LE broadcasts, and look at NFC devices.  There's nothing special about them.  What they share can be encrypted, but any compliant device will hear the broadcast or be able to read the NFC device if they are in range.  It's still one way & not a network protocol.

    Stop blabbering so much about things you don't understand.
  • Reply 42 of 62
    XedXed Posts: 973member
    nicholfd said:
    Soli said:
    nicholfd said:
    Xed said:
    ppietra said:
    Xed said:
    ppietra said:
    Xed said:
    ppietra said:
    Xed said:
    ppietra said:
    Xed said:
    nicholfd said:
    Xed said:
    rob53 said:
    So what. Someone who knows what they're doing can do the same thing to every computer ever made. The trick is to make these changes without being obvious. All those jumper wires are obvious. I'd like to see him put it back into the enclosure and try and pass it off as an unmodified AirTag. I'm still waiting for mine and this guy wastes "multiple" AirTags. 
    As the article mentioned, he can flash (i.e.: rewrite) the microcontroller and the wires are only used for power.

    This is an impressive accomplishment for a product that has been out for a week, and to neither see nor acknowledge this blows my mind.

    We have no idea what else could be done in the future. Nefarious users could figure out was to have it bypass sending or receiving data from Apple altogether, which could make this a very useful tool for certain people.

    While I doubt we'll see many doing this, that's not the point for even one person using these in an unintended way for evil is worth protecting against, so I hope Apple can push a way to protect the HW soon.
    The AirTag sends nothing to Apple.  The Apple iPhone/iPad/AppleWatch(?) picks up a unique BT ID, and THAT device talks to Apple.  All the AirTag does is broadcast its ID via BlueTooth for other Apple devices to pick up.

    The AirTag receives nothing from Apple - it only receives data from Apple devices (probably only the device it is paired with.)
    You really need to read up on how these tags (and others like it) work. They very clearly send data to Apple's servers as you can easily verify from your own AirTag or any number of articles and videos detailing how these work.

    To put another way, these do function as ad-hoc devices with BT and UWB when you're within range, but they also work over the internet with your iCloud account so you can locate these trackers when you aren't in range by having them link to other devices securely which will forward their location to Apple which will let you know where they were found.
    That is not how AirTags work. AirTags don’t connect to any other device other than the owner’s iPhone, neither are AirTags responsible for sending information to servers.
    AirTags only broadcast a Bluetooth ID for other Apple’ devices to see. It’s the iPhones and iPads in the network that communicate with Apple servers, and once there is a request for an AirTag they probably receive the associated Public Key to encrypt its location so that the owner can discover it. 
    Just pay attention to the fact that devices cannot establish a Bluetooth connection without first pairing,  and strange devices don’t pair without user consent... Not only would it be a very high security risk to create ad-hoc connections with strange devices, it would also easily saturate bluetooth connections making it impossible for people to use their own devices and increasing power consumption unnecessarily.
    Of course they do. That's a key to how they securely send their location to your device when you're not within BT range, just like with Tile, Trackr, et al. This isn't a difficult concept to understand. Just because the device isn't showing up on another person's phone doesn't mean the device isn't connecting to the internet via said device.

    They will even connect to Android devices which allows AirTag to be scanned which will pop up an alert on the screen that includes a web link (as this researcher did in the article). If it's marked as lost, you'll see instructions on how to contact the rightful owner and get the item back to them.
    No they don’t. If you knew anything about how bluetooth works on an iPhone, you would know that there is no connection over bluetooth without pairing, and devices only pair with user authorisation.
    The location is securely sent by other iPhones not by the AirTag. The iPhone sees the AirTag "ID", the iPhone knows its own location, the iPhone communicates to Apple encrypted (using the AirTag broadcasted Public Key) location. It is a concept quite easy to understand, that has been around for a few years to find offline Phones!!! For other people devices the AirTag is passive, non connected.
    AirTags don’t connect to Android devices. Android devices can scan the NFC chip and get a link to a website, and that is it. Anything else after that doesn’t involve the AirTag, nor does it connect an AirTag to a server.
    Being passive doesn't mean it doesn't connect. It's a signal that is going to a device which transmits its ID to a server which then forwards it's ID to its owner along with its location. If it didn't do this there would be such thing as AirTag or Tile. In no comment did I say that it pairs with another device.

    Additionally, and yet again, there are other wireless technologies in which more than just iPhones can retrieve data from AirTags. That is very clearly a wireless transmission of data from one device to another and to say otherwise is foolish.
    OMG!!! being passive means it doesn’t connect because that is my own description and that is what I meant. There is no signal going through another device! The AirTag is only broadcasting an ID (an alphanumeric string) that anyone can see! It doesn’t interact with other iPhones!!! 
    "In no comment did I say that it pairs with another device":
    In several comments you mention that the AirTag connects to the internet via another device!!! You can only use another device’s internet if your pair the devices!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! You actually mention a lot the idea that an hacked AirTag could use these devices (iPhones) to connect to servers not from Apple... so clearly you thought that the AirTag could behave in far more complex ways than it actually does.
    In networking a connection is when two devices successfully communicate with each other. This does not mean that communication has to be both ways or in the complex ways in which you are obviously assuming. The fact that you admit that a URL is being sent from one device to read by another means they can communicate wirelessly. To conflate with with how you pair headphone with a device.
    Seriously!????????????? Are you trolling me?
    To communicate with each other both need to communicate with each other... seems a very simple concept to grasp! And there are protocols that need to be followed to establish a bluetooth connection. Broadcasting a string is not a bluetooth connection!
    Besides the fact that the NFC has nothing to do with Find My network, the NFC chip scanning does not establish any kind of network connection in any way similar with how you pair an headphone
    Are you trolling me?

    One last time JIC you're really not getting it. Scenario: Someone with aniPhone X finds a lost AirTag. They try to use it to determine who lost it. Will they be able to have the AirTag connect to their device so the AirTag can communicate the URL to their iPhone? No, because it doesn't have the NFC HW, but iPhone 11's and newer can, as well as countless other devices made by other vendors.
    No one is trolling @Xed ;.  They are just informing you that you are ignorant of how this technology works.

    The AirTag broadcasts an encrypted ID via BLE, which is one way (in this case, the definition of broadcast).  If an iPhone with bluetooth (not NFC) is within range, the iPhone will send the encrypted AirTag ID, and the iPhone's location to Apple.  Apple will decrypt the AirTag ID, and notify the device the AirTag is paired with (and other devices using the same Apple ID), with the iPhone's location.

    And again, showing your ignorance, iPhones since iPhone 6 & 6Plus have NFC (for Apple Pay).  However, only the iPhone 7 & 7Plus & newer have NFC readers that can read an AirTag, all have NFC (not UWB which isn't required).  Again, the NFC URL is read by the NFC reader - one way communication.  Even non-Apple (Android) devices can read the URL via NFC.

    The AirTag cannot communicate two way with anything - only broadcast it's ID, encrypted.
    How do you suppose that broadcast is retrieved and passed on if there are no devices using the same protocols and frequencies that can hear it and know what to do with it?

    Historically when a node (like your computer) wants to obtain an IP address it would send out a message on whatever network it is using. Any and all devices connected on the network will ignore this broadcast except for either the DHCP server which will send back an IP address for that MAC address to use (or it will be forwarded to another network where a DHCP server will eventually send back this information by routers configured to do so).

    Broadcasts are still a communication even if they aren't one-to-one communication between nodes so they still need other linked nodes to allow them to pass on this data.
    It's called BT LE (BlueTooth LE) & NFC - these are standards.  They are Broadcast & Read Only (generally).  They are one way (in this scenario).

    There is not TCP/IP, network, DHCP, IP address, etc.  It's simply read the NFC, or listen fo the BT LE broadcast.  One way.  No app listening, no communications.
    Did you really just just go from say that BT doesn't communicate? 🤦‍♂️ Geez! Kinda hard to send someone data when you can't communicate.

    Even if AirTags were a one-way beacon it would still be communication, but as I've already detailed several times AirTags communicate in both directions and over multiple wireless technologies.

    Tile will even let you locate your phone by pressing a button on the Tile. Not a feature I need but nice to have and clearly shows that BT is used for wireless communications. 
    Soli
  • Reply 43 of 62
    mcdavemcdave Posts: 1,693member
    Xed said:
    rob53 said:
    So what. Someone who knows what they're doing can do the same thing to every computer ever made. The trick is to make these changes without being obvious. All those jumper wires are obvious. I'd like to see him put it back into the enclosure and try and pass it off as an unmodified AirTag. I'm still waiting for mine and this guy wastes "multiple" AirTags. 
    As the article mentioned, he can flash (i.e.: rewrite) the microcontroller and the wires are only used for power.

    This is an impressive accomplishment for a product that has been out for a week, and to neither see nor acknowledge this blows my mind.

    We have no idea what else could be done in the future. Nefarious users could figure out was to have it bypass sending or receiving data from Apple altogether, which could make this a very useful tool for certain people.

    While I doubt we'll see many doing this, that's not the point for even one person using these in an unintended way for evil is worth protecting against, so I hope Apple can push a way to protect the HW soon.
    Sorry but I don’t buy the “cables are only for power” the AirTag is already powered. The only reason to open it is to access pins for re-flashing which means a more physical hack which would look obvious.
    You can pretty much pull anything apart and hack it, the remote hack would be the worry.
  • Reply 44 of 62
    SoliSoli Posts: 10,028member
    nicholfd said:

    BT LE & NFC are not networks or network protocols. 

    Then someone better tell the IEEE that.




    PS: Bye FeliCa.*

    * That is probably wasted since at most youonly understand one-half of that statement.

    edited May 9 Xed
  • Reply 45 of 62
    nicholfdnicholfd Posts: 608member
    Xed said:
    nicholfd said:
    Soli said:
    nicholfd said:
    Xed said:
    ppietra said:
    Xed said:
    ppietra said:
    Xed said:
    ppietra said:
    Xed said:
    ppietra said:
    Xed said:
    nicholfd said:
    Xed said:
    rob53 said:
    So what. Someone who knows what they're doing can do the same thing to every computer ever made. The trick is to make these changes without being obvious. All those jumper wires are obvious. I'd like to see him put it back into the enclosure and try and pass it off as an unmodified AirTag. I'm still waiting for mine and this guy wastes "multiple" AirTags. 
    As the article mentioned, he can flash (i.e.: rewrite) the microcontroller and the wires are only used for power.

    This is an impressive accomplishment for a product that has been out for a week, and to neither see nor acknowledge this blows my mind.

    We have no idea what else could be done in the future. Nefarious users could figure out was to have it bypass sending or receiving data from Apple altogether, which could make this a very useful tool for certain people.

    While I doubt we'll see many doing this, that's not the point for even one person using these in an unintended way for evil is worth protecting against, so I hope Apple can push a way to protect the HW soon.
    The AirTag sends nothing to Apple.  The Apple iPhone/iPad/AppleWatch(?) picks up a unique BT ID, and THAT device talks to Apple.  All the AirTag does is broadcast its ID via BlueTooth for other Apple devices to pick up.

    The AirTag receives nothing from Apple - it only receives data from Apple devices (probably only the device it is paired with.)
    You really need to read up on how these tags (and others like it) work. They very clearly send data to Apple's servers as you can easily verify from your own AirTag or any number of articles and videos detailing how these work.

    To put another way, these do function as ad-hoc devices with BT and UWB when you're within range, but they also work over the internet with your iCloud account so you can locate these trackers when you aren't in range by having them link to other devices securely which will forward their location to Apple which will let you know where they were found.
    That is not how AirTags work. AirTags don’t connect to any other device other than the owner’s iPhone, neither are AirTags responsible for sending information to servers.
    AirTags only broadcast a Bluetooth ID for other Apple’ devices to see. It’s the iPhones and iPads in the network that communicate with Apple servers, and once there is a request for an AirTag they probably receive the associated Public Key to encrypt its location so that the owner can discover it. 
    Just pay attention to the fact that devices cannot establish a Bluetooth connection without first pairing,  and strange devices don’t pair without user consent... Not only would it be a very high security risk to create ad-hoc connections with strange devices, it would also easily saturate bluetooth connections making it impossible for people to use their own devices and increasing power consumption unnecessarily.
    Of course they do. That's a key to how they securely send their location to your device when you're not within BT range, just like with Tile, Trackr, et al. This isn't a difficult concept to understand. Just because the device isn't showing up on another person's phone doesn't mean the device isn't connecting to the internet via said device.

    They will even connect to Android devices which allows AirTag to be scanned which will pop up an alert on the screen that includes a web link (as this researcher did in the article). If it's marked as lost, you'll see instructions on how to contact the rightful owner and get the item back to them.
    No they don’t. If you knew anything about how bluetooth works on an iPhone, you would know that there is no connection over bluetooth without pairing, and devices only pair with user authorisation.
    The location is securely sent by other iPhones not by the AirTag. The iPhone sees the AirTag "ID", the iPhone knows its own location, the iPhone communicates to Apple encrypted (using the AirTag broadcasted Public Key) location. It is a concept quite easy to understand, that has been around for a few years to find offline Phones!!! For other people devices the AirTag is passive, non connected.
    AirTags don’t connect to Android devices. Android devices can scan the NFC chip and get a link to a website, and that is it. Anything else after that doesn’t involve the AirTag, nor does it connect an AirTag to a server.
    Being passive doesn't mean it doesn't connect. It's a signal that is going to a device which transmits its ID to a server which then forwards it's ID to its owner along with its location. If it didn't do this there would be such thing as AirTag or Tile. In no comment did I say that it pairs with another device.

    Additionally, and yet again, there are other wireless technologies in which more than just iPhones can retrieve data from AirTags. That is very clearly a wireless transmission of data from one device to another and to say otherwise is foolish.
    OMG!!! being passive means it doesn’t connect because that is my own description and that is what I meant. There is no signal going through another device! The AirTag is only broadcasting an ID (an alphanumeric string) that anyone can see! It doesn’t interact with other iPhones!!! 
    "In no comment did I say that it pairs with another device":
    In several comments you mention that the AirTag connects to the internet via another device!!! You can only use another device’s internet if your pair the devices!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! You actually mention a lot the idea that an hacked AirTag could use these devices (iPhones) to connect to servers not from Apple... so clearly you thought that the AirTag could behave in far more complex ways than it actually does.
    In networking a connection is when two devices successfully communicate with each other. This does not mean that communication has to be both ways or in the complex ways in which you are obviously assuming. The fact that you admit that a URL is being sent from one device to read by another means they can communicate wirelessly. To conflate with with how you pair headphone with a device.
    Seriously!????????????? Are you trolling me?
    To communicate with each other both need to communicate with each other... seems a very simple concept to grasp! And there are protocols that need to be followed to establish a bluetooth connection. Broadcasting a string is not a bluetooth connection!
    Besides the fact that the NFC has nothing to do with Find My network, the NFC chip scanning does not establish any kind of network connection in any way similar with how you pair an headphone
    Are you trolling me?

    One last time JIC you're really not getting it. Scenario: Someone with aniPhone X finds a lost AirTag. They try to use it to determine who lost it. Will they be able to have the AirTag connect to their device so the AirTag can communicate the URL to their iPhone? No, because it doesn't have the NFC HW, but iPhone 11's and newer can, as well as countless other devices made by other vendors.
    No one is trolling @Xed ;.  They are just informing you that you are ignorant of how this technology works.

    The AirTag broadcasts an encrypted ID via BLE, which is one way (in this case, the definition of broadcast).  If an iPhone with bluetooth (not NFC) is within range, the iPhone will send the encrypted AirTag ID, and the iPhone's location to Apple.  Apple will decrypt the AirTag ID, and notify the device the AirTag is paired with (and other devices using the same Apple ID), with the iPhone's location.

    And again, showing your ignorance, iPhones since iPhone 6 & 6Plus have NFC (for Apple Pay).  However, only the iPhone 7 & 7Plus & newer have NFC readers that can read an AirTag, all have NFC (not UWB which isn't required).  Again, the NFC URL is read by the NFC reader - one way communication.  Even non-Apple (Android) devices can read the URL via NFC.

    The AirTag cannot communicate two way with anything - only broadcast it's ID, encrypted.
    How do you suppose that broadcast is retrieved and passed on if there are no devices using the same protocols and frequencies that can hear it and know what to do with it?

    Historically when a node (like your computer) wants to obtain an IP address it would send out a message on whatever network it is using. Any and all devices connected on the network will ignore this broadcast except for either the DHCP server which will send back an IP address for that MAC address to use (or it will be forwarded to another network where a DHCP server will eventually send back this information by routers configured to do so).

    Broadcasts are still a communication even if they aren't one-to-one communication between nodes so they still need other linked nodes to allow them to pass on this data.
    It's called BT LE (BlueTooth LE) & NFC - these are standards.  They are Broadcast & Read Only (generally).  They are one way (in this scenario).

    There is not TCP/IP, network, DHCP, IP address, etc.  It's simply read the NFC, or listen fo the BT LE broadcast.  One way.  No app listening, no communications.
    Did you really just just go from say that BT doesn't communicate? 🤦‍♂️ Geez! Kinda hard to send someone data when you can't communicate.

    Even if AirTags were a one-way beacon it would still be communication, but as I've already detailed several times AirTags communicate in both directions and over multiple wireless technologies.

    Tile will even let you locate your phone by pressing a button on the Tile. Not a feature I need but nice to have and clearly shows that BT is used for wireless communications. 
    I did not say BT doesn't communicate.  Please re-read.  Did you even see the word "communicate" in my posts? (communications yes, communicate no - and look at the context).

    I said BT LE & NFC, as implemented in the AirTags (and probably Tile) are one-way communication only, away from the paired device.  That puts a full stop to your worries/consiparicy theories about how someone might use them for evil (go read your original post I replied to).

    You have detailed nothing.  You've said bullshit.  Because you don't understand.  You can say the sky is green all day long, but that doesn't make it true.

    AirTags ONLY use BT LE & UWB, and when away from their paired device, it is only one way.  Done.  

    And I'm done dealing with people who are unable to understand technology - I've already wasted too much time trying to educate.  Some people just can't learn (or don't want to).
    urahara
  • Reply 46 of 62
    nicholfdnicholfd Posts: 608member
    Soli said:
    nicholfd said:

    BT LE & NFC are not networks or network protocols. 

    Then someone better tell the IEEE that.




    PS: Bye FeliCa.*

    * That is probably wasted since at most youonly understand one-half of that statement.

    Don't see BT Low Energy mentioned there at all, except for a link to another article.  And NFC isn't mentioned there, either.

    Maybe you should look again.
    urahara
  • Reply 47 of 62
    nicholfdnicholfd Posts: 608member
    mcdave said:
    Xed said:
    rob53 said:
    So what. Someone who knows what they're doing can do the same thing to every computer ever made. The trick is to make these changes without being obvious. All those jumper wires are obvious. I'd like to see him put it back into the enclosure and try and pass it off as an unmodified AirTag. I'm still waiting for mine and this guy wastes "multiple" AirTags. 
    As the article mentioned, he can flash (i.e.: rewrite) the microcontroller and the wires are only used for power.

    This is an impressive accomplishment for a product that has been out for a week, and to neither see nor acknowledge this blows my mind.

    We have no idea what else could be done in the future. Nefarious users could figure out was to have it bypass sending or receiving data from Apple altogether, which could make this a very useful tool for certain people.

    While I doubt we'll see many doing this, that's not the point for even one person using these in an unintended way for evil is worth protecting against, so I hope Apple can push a way to protect the HW soon.
    Sorry but I don’t buy the “cables are only for power” the AirTag is already powered. The only reason to open it is to access pins for re-flashing which means a more physical hack which would look obvious.
    You can pretty much pull anything apart and hack it, the remote hack would be the worry.
    Yes - it is a physical hack.  The article stated that.  The other wires were used to hack/debug/re-write the URL the NFC spit out. 

    The point of mentioning that the wires were only for power (battery isn't in the picture or used at all), was to state that the "new" URL via NFC was not from the other wires.
  • Reply 48 of 62
    SoliSoli Posts: 10,028member
    nicholfd said:
    Soli said:
    nicholfd said:

    BT LE & NFC are not networks or network protocols. 

    Then someone better tell the IEEE that.




    PS: Bye FeliCa.*

    * That is probably wasted since at most youonly understand one-half of that statement.

    Don't see BT Low Energy mentioned there at all, except for a link to another article.  And NFC isn't mentioned there, either.

    Maybe you should look again.
    1) A quick search of the page shows Bluetooth mentioned a half-dozen times. For all intents and purposes, 802.15 is being used when what you think of as Bluetooth is present. It's used in wireless personal-area-networks (PANs/WPANs).

    2) NFC wouldn't be mentioned in that article because NFC (Near Field Communication) isn't Bluetooth. It's a completely different networking technology with its own set of standards, protocols, frequencies, and hardware. It's used in point-to-point and peer-to-peer networks, and can be passive or active. It's beyond my expertise to design but the magnetic field it generates is cool.
    edited May 9 Xed
  • Reply 49 of 62
    rob53 said:
    So what. Someone who knows what they're doing can do the same thing to every computer ever made. The trick is to make these changes without being obvious. All those jumper wires are obvious. I'd like to see him put it back into the enclosure and try and pass it off as an unmodified AirTag. I'm still waiting for mine and this guy wastes "multiple" AirTags. 
    “So what?” - Why are you so on the defense?
    It’s a researcher. He researches. He’s not interested in Airtags as a consumer, he buys them for his research. The fact you’re still waiting for yours is irrelevant.
  • Reply 50 of 62
    bestkeptsecretbestkeptsecret Posts: 4,012member
    OT: @Soli, nice to see you back. Where have you been?
    XedSoliStrangeDayspscooter63roundaboutnowmuthuk_vanalingam
  • Reply 51 of 62
    ericthehalfbeeericthehalfbee Posts: 4,268member
    Useless hack that poses practically zero threat to anyone.
  • Reply 52 of 62
    dewmedewme Posts: 3,694member
    ppietra said:
    Soli said:
    ppietra said:
    Xed said:
    ppietra said:
    Xed said:
    ppietra said:
    Xed said:
    ppietra said:
    Xed said:
    ppietra said:
    Xed said:
    nicholfd said:
    Xed said:
    rob53 said:
    So what. Someone who knows what they're doing can do the same thing to every computer ever made. The trick is to make these changes without being obvious. All those jumper wires are obvious. I'd like to see him put it back into the enclosure and try and pass it off as an unmodified AirTag. I'm still waiting for mine and this guy wastes "multiple" AirTags. 
    As the article mentioned, he can flash (i.e.: rewrite) the microcontroller and the wires are only used for power.

    This is an impressive accomplishment for a product that has been out for a week, and to neither see nor acknowledge this blows my mind.

    We have no idea what else could be done in the future. Nefarious users could figure out was to have it bypass sending or receiving data from Apple altogether, which could make this a very useful tool for certain people.

    While I doubt we'll see many doing this, that's not the point for even one person using these in an unintended way for evil is worth protecting against, so I hope Apple can push a way to protect the HW soon.
    The AirTag sends nothing to Apple.  The Apple iPhone/iPad/AppleWatch(?) picks up a unique BT ID, and THAT device talks to Apple.  All the AirTag does is broadcast its ID via BlueTooth for other Apple devices to pick up.

    The AirTag receives nothing from Apple - it only receives data from Apple devices (probably only the device it is paired with.)
    You really need to read up on how these tags (and others like it) work. They very clearly send data to Apple's servers as you can easily verify from your own AirTag or any number of articles and videos detailing how these work.

    To put another way, these do function as ad-hoc devices with BT and UWB when you're within range, but they also work over the internet with your iCloud account so you can locate these trackers when you aren't in range by having them link to other devices securely which will forward their location to Apple which will let you know where they were found.
    That is not how AirTags work. AirTags don’t connect to any other device other than the owner’s iPhone, neither are AirTags responsible for sending information to servers.
    AirTags only broadcast a Bluetooth ID for other Apple’ devices to see. It’s the iPhones and iPads in the network that communicate with Apple servers, and once there is a request for an AirTag they probably receive the associated Public Key to encrypt its location so that the owner can discover it. 
    Just pay attention to the fact that devices cannot establish a Bluetooth connection without first pairing,  and strange devices don’t pair without user consent... Not only would it be a very high security risk to create ad-hoc connections with strange devices, it would also easily saturate bluetooth connections making it impossible for people to use their own devices and increasing power consumption unnecessarily.
    Of course they do. That's a key to how they securely send their location to your device when you're not within BT range, just like with Tile, Trackr, et al. This isn't a difficult concept to understand. Just because the device isn't showing up on another person's phone doesn't mean the device isn't connecting to the internet via said device.

    They will even connect to Android devices which allows AirTag to be scanned which will pop up an alert on the screen that includes a web link (as this researcher did in the article). If it's marked as lost, you'll see instructions on how to contact the rightful owner and get the item back to them.
    No they don’t. If you knew anything about how bluetooth works on an iPhone, you would know that there is no connection over bluetooth without pairing, and devices only pair with user authorisation.
    The location is securely sent by other iPhones not by the AirTag. The iPhone sees the AirTag "ID", the iPhone knows its own location, the iPhone communicates to Apple encrypted (using the AirTag broadcasted Public Key) location. It is a concept quite easy to understand, that has been around for a few years to find offline Phones!!! For other people devices the AirTag is passive, non connected.
    AirTags don’t connect to Android devices. Android devices can scan the NFC chip and get a link to a website, and that is it. Anything else after that doesn’t involve the AirTag, nor does it connect an AirTag to a server.
    Being passive doesn't mean it doesn't connect. It's a signal that is going to a device which transmits its ID to a server which then forwards it's ID to its owner along with its location. If it didn't do this there would be such thing as AirTag or Tile. In no comment did I say that it pairs with another device.

    Additionally, and yet again, there are other wireless technologies in which more than just iPhones can retrieve data from AirTags. That is very clearly a wireless transmission of data from one device to another and to say otherwise is foolish.
    OMG!!! being passive means it doesn’t connect because that is my own description and that is what I meant. There is no signal going through another device! The AirTag is only broadcasting an ID (an alphanumeric string) that anyone can see! It doesn’t interact with other iPhones!!! 
    "In no comment did I say that it pairs with another device":
    In several comments you mention that the AirTag connects to the internet via another device!!! You can only use another device’s internet if your pair the devices!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! You actually mention a lot the idea that an hacked AirTag could use these devices (iPhones) to connect to servers not from Apple... so clearly you thought that the AirTag could behave in far more complex ways than it actually does.
    In networking a connection is when two devices successfully communicate with each other. This does not mean that communication has to be both ways or in the complex ways in which you are obviously assuming. The fact that you admit that a URL is being sent from one device to read by another means they can communicate wirelessly. To conflate with with how you pair headphone with a device.
    Seriously!????????????? Are you trolling me?
    To communicate with each other both need to communicate with each other... seems a very simple concept to grasp! And there are protocols that need to be followed to establish a bluetooth connection. Broadcasting a string is not a bluetooth connection!
    Besides the fact that the NFC has nothing to do with Find My network, the NFC chip scanning does not establish any kind of network connection in any way similar with how you pair an headphone
    Are you trolling me?

    One last time JIC you're really not getting it. Scenario: Someone with aniPhone X finds a lost AirTag. They try to use it to determine who lost it. Will they be able to have the AirTag connect to their device so the AirTag can communicate the URL to their iPhone? No, because it doesn't have the NFC HW, but iPhone 11's and newer can, as well as countless other devices made by other vendors.
    you should study what NFC scanning entices and what is a network connection! But hey, at least you already forgot all about bluetooth and connecting to the internet.
    Networking may be complex in execution but the foundations are universal. Nodes must always connect to other nodes before information and resources can be shared. Networks follow protocols, which define how communications are sent and received. It is impossible to communicate if you're not speaking the same language, which in networking means using compatible protocols and with wireless also requires compatible frequency ranges.

    Take for example the GPS in a plane or car that connects with various satellites without the satellites having any indication of the devices that are connecting to them. There's no handshake involved but the devices are still connecting and then retrieving location and timing information from the satellites. Without the connection to the sats there is no way to triangulate.
    You don’t connect to GPS satellites, you only collect data that is broadcasted by different satellites... It is the device that then calculates its own location based on the data that was broadcasted. Why are people confusing non-network broadcasting with connection?

    This is an interesting argument that reminds me of the difference between "communication" and "connection," both at a technical level and a human level. Commenter ppietra's points are valid for many networking protocols that support both connected and unconnected messaging, where connected messaging generally infers that there is a notion of session/connection state information that is maintained by the endpoints and intermediaries that exists even when packets are not being actively sent of the wire. This contents, context, lifetime, semantics, and roles related to this state information is protocol specific. That's all fine and good.

    The human side of this argument falls along the lines of the distinctions drawn between communication and connection that are the primary focus of writers, speakers, and presenters like John C. Maxwell, most notably in his book "Everyone Communicates, Few Connect." I'm not going to rehash the book here, but it is very evident that there's a whole lot of communication taking place around the topic of connections, but not very much connection is actually happening.
    tenthousandthingspscooter63roundaboutnow
  • Reply 53 of 62
    shaminoshamino Posts: 474member
    The part that surprises me is that he was able to rewrite the AirTag's firmware.

    Most non-trivial microcontrollers I've seen include some kind of secure-boot facility where public key data is written to write-once memory as a part of loading the initial firmware image.  From that point forward, the device will refuse to boot if the rest of the firmware isn't signed with the corresponding private key.  This isn't unusual - I've seen it in MCUs from Realtek, ST, Silicon Labs, Qualcomm and many others.

    I'm surprised Apple didn't do the same for the AirTags.  Either they picked an MCU without this feature (maybe to minimize cost or to get something physically as small as possible) or they didn't bother using it.

    Or, as a third possibility, they only signed the software not the data file containing the URL (which may have been the only thing modified by this hack).

    Knowing what's going on here is far more interesting than arguing about what word should be used to describe BLE communication.  :smile: 
    roundaboutnowfastasleep
  • Reply 54 of 62
    uraharaurahara Posts: 543member
    Thank you @Soli and @Xed for reminding me how much I need to learn sometimes. Especially, to learn better critical thinking and better listening skills. 
    It seems we all have moments (some longer than others) when we are certain that we a right when in reality - we are not.
    Wish all of us more wisdom. 
  • Reply 55 of 62
    uraharaurahara Posts: 543member
    Some people like Xed and Soli are very dangerous. If they are not kept in check, their misinformation is spread among people looking for knowledge. 
    I am glad there are some more knowledgeable people on a subject of technology on AI forums.
  • Reply 56 of 62
    williamhwilliamh Posts: 789member
    macgui said:
    Yes, if that hack could be executed with theTV/ movie method of holding a phone close by and installing/altering code, then we'd have FUD worth considering.

    So once this hack is done, and the AirTag reassembled, to the degree of appearing unaltered, then what. It's swapped out for some victim's unmolested AirTag?

    Until it's leaked that the NSA is or the Chinese are selling modified/counterfeit AirTags, I suggest we not worry. Remote possibility doesn't equal even mild probability. I haven't ordered any yet, but will soon. 
    To my mind, the best use of this hack is to disable the speaker and alerting to make the AirTag a more stealthy stalking device.  It's not a useless hack at all, but then again, it doesn't do anything you couldn't achieve with another device.
  • Reply 57 of 62
    AppleZuluAppleZulu Posts: 1,108member
    Inevitably when Apple releases new tech - particularly security related tech - we see these early demos of some form of hacking or misuse, along with other imaginative prognostications of the terrible things that await us all as criminals seize this new tech to use against us. The thing that seems to evade the folks cooking up these scenarios is the universal cost/benefit analysis that is made by even the dumbest of criminals: is this worth the effort? For instance, you can argue that a clever thief can figure out how to bypass or disable the security cameras on your house, perhaps by cutting power or jamming radio signals, etc. The reality is that clever and not-so-clever thieves will almost always just take the easier route of finding the next house that doesn't have security cameras instead.

    When FaceID came out, we saw wild demonstrations of various types of facial replicas made to supposedly fool that system. Before that, we were assured that we were all at risk of losing fingers along with our iPhones so that thieves could defeat the new fingerprint readers. With some regularity, various other hacks of Macs, iPhones and iPads are breathlessly reported (particularly by folks who want to sell you their security software), only to see that the detailed info on the hack involves scenarios where the baddie has to gain physical access to the device, carry out a complex procedure on it and then return it to the owner unawares. In reality, most of these crimes are not worth the effort or risks required for these schemes to be implemented. 

    In the current case here, someone has to obtain, modify and return a victim's AirTag undetected. The modification part requires significant skill, as does the undetected reconstruction and return of the device. Lost in this scenario is the fact that AirTag devices are only the tip of the iceberg in this technology. Most of what these devices do happens on the back end. Were there to be some spate of nefarious physical changes made to these devices, a back-end update could quietly neutralize those changes or simply warn the tag's owners that there is something wrong with their tag and to please contact customer service. 

    The idea of modifying an AirTag to cause it to bypass Apple's back end is even more daft, as that would disable the means by which the tag communicates with users. It also fails the cost/benefit analysis, in that modifying an AirTag to communicate via some alternate network and then returning it to an unsuspecting victim is far more difficult than the bad guy simply attaching his own bug to a victim without bothering the Apple tracker. It also requires the bad guy to have some back-end system to communicate with. None of this passes that rudimentary is this worth the effort test.
    shamino
  • Reply 58 of 62
    igorskyigorsky Posts: 527member
    Another new product and another genius show us how stupid the inventors are, Apple in this case, for allowing their product to be hacked. 
    Almost anything in this world can be hacked if there's will enough to do so. Go back to your video games.
    StrangeDayspscooter63roundaboutnow
  • Reply 59 of 62
    Bad loser: Can’t admit defeat.

    Bad winner: Stomps the opponent flat on the ground, chews him up, and has one less mate to play with after each game.

    Nice player: Leaves the losing opponent a decent escape route.
  • Reply 60 of 62
    maltzmaltz Posts: 266member
    rob53 said:
    response to @macgui ;

    From Apple:

    Your AirTag sends out a secure Bluetooth signal that can be detected by nearby devices in the Find My network. These devices send the location of your AirTag to iCloud — then you can go to the Find My app and see it on a map. The whole process is anonymous and encrypted to protect your privacy. And itʼs efficient, so thereʼs no need to worry about battery life or data usage.

    lots more:
    https://www.apple.com/airtag/

    I don't believe you have to turn anything on. The capability is built into iOS and works securely behind the scenes. I'm not sure there's a way to turn this feature off unless you turn your iOS device off. Your iPhone is constantly monitoring where you are finding either a WiFi or cellular signal. Even if you turn yours off lots of other people will have there's turned on so triangulation of signal can be performed. 

    Well, you could turn off Bluetooth, which some people do as a matter of course.  I'd wager the vast majority don't, though, either because they use it for pairing with vehicles/headphones/etc or they don't even know what it is.  Otherwise, Airplane mode would also effectively disable this functionality, but people don't intentionally go around with their phone in Airplane mode.  Even in an airport (where you might have an airtag in lost luggage) the airport staff wouldn't be in Airplane mode, and turning that off is one of the first things many people do when they land.
Sign In or Register to comment.