AirTag hacked and reprogrammed by security researcher
Apple's AirTag can be hacked and its software modified, a security researcher has discovered, with an exploration of the microcontroller revealing elements can be reprogrammed to change what specific functions do.
AirTag (left), and the modified internals (right, via stacksmashing/Twitter)
Apple is well known for having high levels of security built into its products, and that has naturally led to the new AirTags becoming a target for security researchers. Just over a week after shipping, it seems that some AirTag elements can be modified.
German security researcher "stacksmashing" revealed on Twitter that they were able to "break into the microcontroller" of the AirTag. Posted on Saturday and first reported by The 8-Bit, the tweet thread includes some details about the researcher's exploration of the device.
After a few hours and the destruction of multiple tags in the process, the researcher made firmware dumps and eventually discovered the microcontroller could be reflashed. In short, the researcher proved it was possible to alter the programming of the microcontroller, to change how it functions.
An initial demonstration showed an AirTag with a modified NFC URL that, when scanned with an iPhone, displays a custom URL instead of the usual "found.apple.com" link.
While only in its early stages, the research shows that it takes a lot of knowhow and effort to hack AirTag in the first place. During a demonstration video, the modified AirTag is shown attached to cables, which are claimed to provide just power to the device.
It is plausible that similar techniques could be used for malicious purposes, though it is unclear exactly how far it can be pushed at this time.
Given that AirTag relies on the secure Find My network for its Lost Mode to function, it seems likely that Apple would roll out some form of server-side defense against any malicious modified versions.
Since its launch, a hidden debug mode has been found in AirTag, providing developers with considerably more information than users would normally need about the device's hardware.
AirTag (left), and the modified internals (right, via stacksmashing/Twitter)
Apple is well known for having high levels of security built into its products, and that has naturally led to the new AirTags becoming a target for security researchers. Just over a week after shipping, it seems that some AirTag elements can be modified.
German security researcher "stacksmashing" revealed on Twitter that they were able to "break into the microcontroller" of the AirTag. Posted on Saturday and first reported by The 8-Bit, the tweet thread includes some details about the researcher's exploration of the device.
Built a quick demo: AirTag with modified NFC URL
(Cables only used for power) pic.twitter.com/DrMIK49Tu0-- stacksmashing (@ghidraninja)
After a few hours and the destruction of multiple tags in the process, the researcher made firmware dumps and eventually discovered the microcontroller could be reflashed. In short, the researcher proved it was possible to alter the programming of the microcontroller, to change how it functions.
An initial demonstration showed an AirTag with a modified NFC URL that, when scanned with an iPhone, displays a custom URL instead of the usual "found.apple.com" link.
While only in its early stages, the research shows that it takes a lot of knowhow and effort to hack AirTag in the first place. During a demonstration video, the modified AirTag is shown attached to cables, which are claimed to provide just power to the device.
It is plausible that similar techniques could be used for malicious purposes, though it is unclear exactly how far it can be pushed at this time.
Given that AirTag relies on the secure Find My network for its Lost Mode to function, it seems likely that Apple would roll out some form of server-side defense against any malicious modified versions.
Since its launch, a hidden debug mode has been found in AirTag, providing developers with considerably more information than users would normally need about the device's hardware.
Comments
So once this hack is done, and the AirTag reassembled, to the degree of appearing unaltered, then what. It's swapped out for some victim's unmolested AirTag?
Until it's leaked that the NSA is or the Chinese are selling modified/counterfeit AirTags, I suggest we not worry. Remote possibility doesn't equal even mild probability. I haven't ordered any yet, but will soon.
Does this require any prep of iPhones in the 'crowd', or is it just that an iPhone is nearby, that is– I don't have to toggle something in my iPhone that will alert the owner of a missing tag.
From Apple:
Your AirTag sends out a secure Bluetooth signal that can be detected by nearby devices in the Find My network. These devices send the location of your AirTag to iCloud — then you can go to the Find My app and see it on a map. The whole process is anonymous and encrypted to protect your privacy. And itʼs efficient, so thereʼs no need to worry about battery life or data usage.
lots more:
https://www.apple.com/airtag/
I don't believe you have to turn anything on. The capability is built into iOS and works securely behind the scenes. I'm not sure there's a way to turn this feature off unless you turn your iOS device off. Your iPhone is constantly monitoring where you are finding either a WiFi or cellular signal. Even if you turn yours off lots of other people will have there's turned on so triangulation of signal can be performed.
This is an impressive accomplishment for a product that has been out for a week, and to neither see nor acknowledge this blows my mind.
We have no idea what else could be done in the future. Nefarious users could figure out was to have it bypass sending or receiving data from Apple altogether, which could make this a very useful tool for certain people.
While I doubt we'll see many doing this, that's not the point for even one person using these in an unintended way for evil is worth protecting against, so I hope Apple can push a way to protect the HW soon.
The AirTag receives nothing from Apple - it only receives data from Apple devices (probably only the device it is paired with.)
To put another way, these do function as ad-hoc devices with BT and UWB when you're within range, but they also work over the internet with your iCloud account so you can locate these trackers when you aren't in range by having them link to other devices securely which will forward their location to Apple which will let you know where they were found.
Also remember that Apple has anti-stalking features which will notify a user on their device if a rogue tracker is now seemingly following them in a manner that seems abnormal, but this isn't just the present of a BT signal being picked up by your iPhone, but what I assume are cleverly designed algorithms on Apple's servers looking for patterns with an AirTag 's location without its owners iDevice(s) tracking the same path as some other user's iDevice(s).
Of course, this is all probably easier to hack with less complex and larger trackers from other vendors and probably already exists in the real world by individuals and governments, but since Apple has the greatest mindshare we're only now hearing about these efforts.
The locating over the internet is because the App (Find My) on the listening devices (iPhone/iPad) reports to Apple that it saw a tag ID (ID only), and what the location of the listening device was when it saw the tag.
No listening app, and the tag can't communicate. Period.
2) Of course it needs an app (or more accurately a running service) to rely the data, but why do you think that's impossible to do on someone's device? Have you not followed a single article about people installing apps on other people's phones without their consent or developers purposely or unwittingly using code that had a nefarious purpose. I'd link to articles but seeing as how there are countless examples it's just easier for you to google it. I can link that site if you're unfamiliar.
I never said Tile is worthless. I said, "That's why the Tile tags are worthless, unless they are within range of a device that has the Tile App installed - nobody is listening, if the app isn't installed."
You were exclusively talking about AirTags not talking to Apple. That is not possible with just the AirTag (no app). NO app, no communication with anything, anywhere.
I don't know how many users Tile has, but it's substantial, especially since it can be used with Android, too. It's very possible that he AirTag firmware could be rewritten to talk disguise itself as a Tile and use its service, or even bypass all that by piggyback on one (or more) of the many and growing cloud APIs found in popular App Store apps that will make forensics very difficult.
https://www.optiv.com/insights/discover/blog/insecure-api-cloud-computing-causes-and-solutions
Yet another way for these to be used maliciously with sort of hack is like when hackers would leave USB drives with malware outside secure businesses for people to pick up knowing that a certain percentage of them would foolish insert them into their work computers to see what was on it to simple use. This hack to change the URL and then leave an AirTag where someone would then use the NFC lost mode to pull that new URL which would inject code which would take over an iPhone or other device. How many would verify the URL was coming from a trusted source first? How many times have we seen iOS exploits via Safari since its inception? At that point they don't even need to use a separate tracker to follow you and they know a lot more information about you at the same time.
https://appleinsider.com/articles/21/03/18/hackers-used-7-zero-days-compromised-websites-to-infiltrate-ios
Personally, I think it's a good thing researchers try to find weaknesses so that insecurities can be fortified before a real problem emerges, but I have no problem with you believing that nothing bad could ever happen outside the scope of what you've currently observed. That must be nice.