AirTag hacked and reprogrammed by security researcher

Posted:
in General Discussion edited May 10
Apple's AirTag can be hacked and its software modified, a security researcher has discovered, with an exploration of the microcontroller revealing elements can be reprogrammed to change what specific functions do.

AirTag (left), and the modified internals (right, via Stack Smashing/Twitter)
AirTag (left), and the modified internals (right, via stacksmashing/Twitter)


Apple is well known for having high levels of security built into its products, and that has naturally led to the new AirTags becoming a target for security researchers. Just over a week after shipping, it seems that some AirTag elements can be modified.

German security researcher "stacksmashing" revealed on Twitter that they were able to "break into the microcontroller" of the AirTag. Posted on Saturday and first reported by The 8-Bit, the tweet thread includes some details about the researcher's exploration of the device.

Built a quick demo: AirTag with modified NFC URL

(Cables only used for power) pic.twitter.com/DrMIK49Tu0

-- stacksmashing (@ghidraninja)


After a few hours and the destruction of multiple tags in the process, the researcher made firmware dumps and eventually discovered the microcontroller could be reflashed. In short, the researcher proved it was possible to alter the programming of the microcontroller, to change how it functions.

An initial demonstration showed an AirTag with a modified NFC URL that, when scanned with an iPhone, displays a custom URL instead of the usual "found.apple.com" link.

While only in its early stages, the research shows that it takes a lot of knowhow and effort to hack AirTag in the first place. During a demonstration video, the modified AirTag is shown attached to cables, which are claimed to provide just power to the device.

It is plausible that similar techniques could be used for malicious purposes, though it is unclear exactly how far it can be pushed at this time.

Given that AirTag relies on the secure Find My network for its Lost Mode to function, it seems likely that Apple would roll out some form of server-side defense against any malicious modified versions.

Since its launch, a hidden debug mode has been found in AirTag, providing developers with considerably more information than users would normally need about the device's hardware.
«134

Comments

  • Reply 1 of 62
    rob53rob53 Posts: 2,562member
    So what. Someone who knows what they're doing can do the same thing to every computer ever made. The trick is to make these changes without being obvious. All those jumper wires are obvious. I'd like to see him put it back into the enclosure and try and pass it off as an unmodified AirTag. I'm still waiting for mine and this guy wastes "multiple" AirTags. 
    flyingdpbloggerblogfotoformatgregoriusmpulseimagespscooter63williamlondonkillroyStrangeDaysviclauyyc
  • Reply 2 of 62
    macguimacgui Posts: 2,019member
    Yes, if that hack could be executed with theTV/ movie method of holding a phone close by and installing/altering code, then we'd have FUD worth considering.

    So once this hack is done, and the AirTag reassembled, to the degree of appearing unaltered, then what. It's swapped out for some victim's unmolested AirTag?

    Until it's leaked that the NSA is or the Chinese are selling modified/counterfeit AirTags, I suggest we not worry. Remote possibility doesn't equal even mild probability. I haven't ordered any yet, but will soon. 
    flyingdpgregoriusmviclauyycwatto_cobra
  • Reply 3 of 62
    macguimacgui Posts: 2,019member
    One question I have about locating your AirTag out in the wild... You leave a Tagged item in a cab or ride share, its location should be picked up by nearby iPhones and sent back to you, yeah?

    Does this require any prep of iPhones in the 'crowd', or is it just that an iPhone is nearby, that is– I don't have to toggle something in my iPhone that will alert the owner of a missing tag.


  • Reply 4 of 62
    rob53rob53 Posts: 2,562member
    response to @macgui ;

    From Apple:

    Your AirTag sends out a secure Bluetooth signal that can be detected by nearby devices in the Find My network. These devices send the location of your AirTag to iCloud — then you can go to the Find My app and see it on a map. The whole process is anonymous and encrypted to protect your privacy. And itʼs efficient, so thereʼs no need to worry about battery life or data usage.

    lots more:
    https://www.apple.com/airtag/

    I don't believe you have to turn anything on. The capability is built into iOS and works securely behind the scenes. I'm not sure there's a way to turn this feature off unless you turn your iOS device off. Your iPhone is constantly monitoring where you are finding either a WiFi or cellular signal. Even if you turn yours off lots of other people will have there's turned on so triangulation of signal can be performed. 
    edited May 9 gregoriusmkillroywatto_cobra
  • Reply 5 of 62
    XedXed Posts: 973member
    rob53 said:
    So what. Someone who knows what they're doing can do the same thing to every computer ever made. The trick is to make these changes without being obvious. All those jumper wires are obvious. I'd like to see him put it back into the enclosure and try and pass it off as an unmodified AirTag. I'm still waiting for mine and this guy wastes "multiple" AirTags. 
    As the article mentioned, he can flash (i.e.: rewrite) the microcontroller and the wires are only used for power.

    This is an impressive accomplishment for a product that has been out for a week, and to neither see nor acknowledge this blows my mind.

    We have no idea what else could be done in the future. Nefarious users could figure out was to have it bypass sending or receiving data from Apple altogether, which could make this a very useful tool for certain people.

    While I doubt we'll see many doing this, that's not the point for even one person using these in an unintended way for evil is worth protecting against, so I hope Apple can push a way to protect the HW soon.
    elijahgstevenozCloudTalkinSolikillroy
  • Reply 6 of 62
    rob53rob53 Posts: 2,562member
    Xed said:
    rob53 said:
    So what. Someone who knows what they're doing can do the same thing to every computer ever made. The trick is to make these changes without being obvious. All those jumper wires are obvious. I'd like to see him put it back into the enclosure and try and pass it off as an unmodified AirTag. I'm still waiting for mine and this guy wastes "multiple" AirTags. 
    As the article mentioned, he can flash (i.e.: rewrite) the microcontroller and the wires are only used for power.

    This is an impressive accomplishment for a product that has been out for a week, and to neither see nor acknowledge this blows my mind.

    We have no idea what else could be done in the future. Nefarious users could figure out was to have it bypass sending or receiving data from Apple altogether, which could make this a very useful tool for certain people.

    While I doubt we'll see many doing this, that's not the point for even one person using these in an unintended way for evil is worth protecting against, so I hope Apple can push a way to protect the HW soon.
    The power wires that are soldered to the board could be removed but what about all the other wires? Are they just test leads? Looks like they added a couple diodes in there as well. 
    killroy
  • Reply 7 of 62
    ppietrappietra Posts: 254member
    Xed said:
    rob53 said:
    So what. Someone who knows what they're doing can do the same thing to every computer ever made. The trick is to make these changes without being obvious. All those jumper wires are obvious. I'd like to see him put it back into the enclosure and try and pass it off as an unmodified AirTag. I'm still waiting for mine and this guy wastes "multiple" AirTags. 
    As the article mentioned, he can flash (i.e.: rewrite) the microcontroller and the wires are only used for power.

    This is an impressive accomplishment for a product that has been out for a week, and to neither see nor acknowledge this blows my mind.

    We have no idea what else could be done in the future. Nefarious users could figure out was to have it bypass sending or receiving data from Apple altogether, which could make this a very useful tool for certain people.

    While I doubt we'll see many doing this, that's not the point for even one person using these in an unintended way for evil is worth protecting against, so I hope Apple can push a way to protect the HW soon.
    The wires that are mentioned are the ones seen in the video. Before that he had been testing components and flashing the microcontroller with another setup with far more wires. He didn’t hack wirelessly.
  • Reply 8 of 62
    cpsrocpsro Posts: 2,833member
    I guess I’m a little surprised the firmware isn’t digitally signed to prevent modification.
    shamino
  • Reply 9 of 62
    bloggerblogbloggerblog Posts: 2,046member
    Airtags are designed to find your misplaced items, I don’t see how hacking can become a thing. If someone wants to steal your keys, they’ll pull the Airtag from your keychain and toss it. 
    hammeroftruthkillroyStrangeDays
  • Reply 10 of 62
    nicholfdnicholfd Posts: 608member
    Xed said:
    rob53 said:
    So what. Someone who knows what they're doing can do the same thing to every computer ever made. The trick is to make these changes without being obvious. All those jumper wires are obvious. I'd like to see him put it back into the enclosure and try and pass it off as an unmodified AirTag. I'm still waiting for mine and this guy wastes "multiple" AirTags. 
    As the article mentioned, he can flash (i.e.: rewrite) the microcontroller and the wires are only used for power.

    This is an impressive accomplishment for a product that has been out for a week, and to neither see nor acknowledge this blows my mind.

    We have no idea what else could be done in the future. Nefarious users could figure out was to have it bypass sending or receiving data from Apple altogether, which could make this a very useful tool for certain people.

    While I doubt we'll see many doing this, that's not the point for even one person using these in an unintended way for evil is worth protecting against, so I hope Apple can push a way to protect the HW soon.
    The AirTag sends nothing to Apple.  The Apple iPhone/iPad/AppleWatch(?) picks up a unique BT ID, and THAT device talks to Apple.  All the AirTag does is broadcast its ID via BlueTooth for other Apple devices to pick up.

    The AirTag receives nothing from Apple - it only receives data from Apple devices (probably only the device it is paired with.)
    gregoriusmviclauyyc
  • Reply 11 of 62
    XedXed Posts: 973member
    ppietra said:
    Xed said:
    rob53 said:
    So what. Someone who knows what they're doing can do the same thing to every computer ever made. The trick is to make these changes without being obvious. All those jumper wires are obvious. I'd like to see him put it back into the enclosure and try and pass it off as an unmodified AirTag. I'm still waiting for mine and this guy wastes "multiple" AirTags. 
    As the article mentioned, he can flash (i.e.: rewrite) the microcontroller and the wires are only used for power.

    This is an impressive accomplishment for a product that has been out for a week, and to neither see nor acknowledge this blows my mind.

    We have no idea what else could be done in the future. Nefarious users could figure out was to have it bypass sending or receiving data from Apple altogether, which could make this a very useful tool for certain people.

    While I doubt we'll see many doing this, that's not the point for even one person using these in an unintended way for evil is worth protecting against, so I hope Apple can push a way to protect the HW soon.
    The wires that are mentioned are the ones seen in the video. Before that he had been testing components and flashing the microcontroller with another setup with far more wires. He didn’t hack wirelessly.
    Who said he hacked it wirelessly?
    Soliuraharakillroy
  • Reply 12 of 62
    XedXed Posts: 973member
    nicholfd said:
    Xed said:
    rob53 said:
    So what. Someone who knows what they're doing can do the same thing to every computer ever made. The trick is to make these changes without being obvious. All those jumper wires are obvious. I'd like to see him put it back into the enclosure and try and pass it off as an unmodified AirTag. I'm still waiting for mine and this guy wastes "multiple" AirTags. 
    As the article mentioned, he can flash (i.e.: rewrite) the microcontroller and the wires are only used for power.

    This is an impressive accomplishment for a product that has been out for a week, and to neither see nor acknowledge this blows my mind.

    We have no idea what else could be done in the future. Nefarious users could figure out was to have it bypass sending or receiving data from Apple altogether, which could make this a very useful tool for certain people.

    While I doubt we'll see many doing this, that's not the point for even one person using these in an unintended way for evil is worth protecting against, so I hope Apple can push a way to protect the HW soon.
    The AirTag sends nothing to Apple.  The Apple iPhone/iPad/AppleWatch(?) picks up a unique BT ID, and THAT device talks to Apple.  All the AirTag does is broadcast its ID via BlueTooth for other Apple devices to pick up.

    The AirTag receives nothing from Apple - it only receives data from Apple devices (probably only the device it is paired with.)
    You really need to read up on how these tags (and others like it) work. They very clearly send data to Apple's servers as you can easily verify from your own AirTag or any number of articles and videos detailing how these work.

    To put another way, these do function as ad-hoc devices with BT and UWB when you're within range, but they also work over the internet with your iCloud account so you can locate these trackers when you aren't in range by having them link to other devices securely which will forward their location to Apple which will let you know where they were found.
    killroy
  • Reply 13 of 62
    XedXed Posts: 973member
    Airtags are designed to find your misplaced items, I don’t see how hacking can become a thing. If someone wants to steal your keys, they’ll pull the Airtag from your keychain and toss it. 
    Think about it from the other direction. Think about someone using such a device to track someone without having any information go through Apple.

    Also remember that Apple has anti-stalking features which will notify a user on their device if a rogue tracker is now seemingly following them in a manner that seems abnormal, but this isn't just the present of a BT signal being picked up by your iPhone, but what I assume are cleverly designed algorithms on Apple's servers looking for patterns with an AirTag 's location without its owners iDevice(s) tracking the same path as some other user's iDevice(s).

    Of course, this is all probably easier to hack with less complex and larger trackers from other vendors and probably already exists in the real world by individuals and governments, but since Apple has the greatest mindshare we're only now hearing about these efforts.
    Soli
  • Reply 14 of 62
    nicholfdnicholfd Posts: 608member
    Xed said:
    nicholfd said:
    Xed said:
    rob53 said:
    So what. Someone who knows what they're doing can do the same thing to every computer ever made. The trick is to make these changes without being obvious. All those jumper wires are obvious. I'd like to see him put it back into the enclosure and try and pass it off as an unmodified AirTag. I'm still waiting for mine and this guy wastes "multiple" AirTags. 
    As the article mentioned, he can flash (i.e.: rewrite) the microcontroller and the wires are only used for power.

    This is an impressive accomplishment for a product that has been out for a week, and to neither see nor acknowledge this blows my mind.

    We have no idea what else could be done in the future. Nefarious users could figure out was to have it bypass sending or receiving data from Apple altogether, which could make this a very useful tool for certain people.

    While I doubt we'll see many doing this, that's not the point for even one person using these in an unintended way for evil is worth protecting against, so I hope Apple can push a way to protect the HW soon.
    The AirTag sends nothing to Apple.  The Apple iPhone/iPad/AppleWatch(?) picks up a unique BT ID, and THAT device talks to Apple.  All the AirTag does is broadcast its ID via BlueTooth for other Apple devices to pick up.

    The AirTag receives nothing from Apple - it only receives data from Apple devices (probably only the device it is paired with.)
    You really need to read up on how these tags (and others like it) work. They very clearly send data to Apple's servers as you can easily verify from your own AirTag or any number of articles and videos detailing how these work.

    To put another way, these do function as ad-hoc devices with BT and UWB when you're within range, but they also work over the internet with your iCloud account so you can locate these trackers when you aren't in range by having them link to other devices securely which will forward their location to Apple which will let you know where they were found.
    YOU really need to read up on how these tags (and others like it) work.  They only talk to an app on a listening device (Find My app on Apple products).  The tags can only broadcast BLE (BlueTooth LE) IDs.  That's why the Tile tags are worthless, unless they are within range of a device that has the Tile App installed - nobody is listening, if the app isn't installed.

    The locating over the internet is because the App (Find My) on the listening devices (iPhone/iPad) reports to Apple that it saw a tag ID (ID only), and what the location of the listening device was when it saw the tag.

    No listening app, and the tag can't communicate.  Period.
    gregoriusmPetrolDaveJanNLfastasleeppscooter63qwerty52uraharaStrangeDaysroundaboutnow
  • Reply 15 of 62
    XedXed Posts: 973member
    rob53 said:
    Xed said:
    rob53 said:
    So what. Someone who knows what they're doing can do the same thing to every computer ever made. The trick is to make these changes without being obvious. All those jumper wires are obvious. I'd like to see him put it back into the enclosure and try and pass it off as an unmodified AirTag. I'm still waiting for mine and this guy wastes "multiple" AirTags. 
    As the article mentioned, he can flash (i.e.: rewrite) the microcontroller and the wires are only used for power.

    This is an impressive accomplishment for a product that has been out for a week, and to neither see nor acknowledge this blows my mind.

    We have no idea what else could be done in the future. Nefarious users could figure out was to have it bypass sending or receiving data from Apple altogether, which could make this a very useful tool for certain people.

    While I doubt we'll see many doing this, that's not the point for even one person using these in an unintended way for evil is worth protecting against, so I hope Apple can push a way to protect the HW soon.
    The power wires that are soldered to the board could be removed but what about all the other wires? Are they just test leads? Looks like they added a couple diodes in there as well. 
    He needed a way to get the data on and off so he could read and then rewrite it, but unless we assume he's lying—which I don't—there's nothing in article to suggest that this is a scam.
    Soli
  • Reply 16 of 62
    nicholfdnicholfd Posts: 608member
    Xed said:
    Airtags are designed to find your misplaced items, I don’t see how hacking can become a thing. If someone wants to steal your keys, they’ll pull the Airtag from your keychain and toss it. 
    Think about it from the other direction. Think about someone using such a device to track someone without having any information go through Apple.

    Also remember that Apple has anti-stalking features which will notify a user on their device if a rogue tracker is now seemingly following them in a manner that seems abnormal, but this isn't just the present of a BT signal being picked up by your iPhone, but what I assume are cleverly designed algorithms on Apple's servers looking for patterns with an AirTag 's location without its owners iDevice(s) tracking the same path as some other user's iDevice(s).

    Of course, this is all probably easier to hack with less complex and larger trackers from other vendors and probably already exists in the real world by individuals and governments, but since Apple has the greatest mindshare we're only now hearing about these efforts.
    You really don't understand how these work.  Someone could modify the AirTag/Tile.  Unless there are devices, with apps to listen, there is nothing for the tracker to talk to.  Tracker is worthless unless it talks with an app on a device that is in range.
    bloggerblogfastasleeppscooter63qwerty52urahara
  • Reply 17 of 62
    XedXed Posts: 973member
    nicholfd said:
    Xed said:
    nicholfd said:
    Xed said:
    rob53 said:
    So what. Someone who knows what they're doing can do the same thing to every computer ever made. The trick is to make these changes without being obvious. All those jumper wires are obvious. I'd like to see him put it back into the enclosure and try and pass it off as an unmodified AirTag. I'm still waiting for mine and this guy wastes "multiple" AirTags. 
    As the article mentioned, he can flash (i.e.: rewrite) the microcontroller and the wires are only used for power.

    This is an impressive accomplishment for a product that has been out for a week, and to neither see nor acknowledge this blows my mind.

    We have no idea what else could be done in the future. Nefarious users could figure out was to have it bypass sending or receiving data from Apple altogether, which could make this a very useful tool for certain people.

    While I doubt we'll see many doing this, that's not the point for even one person using these in an unintended way for evil is worth protecting against, so I hope Apple can push a way to protect the HW soon.
    The AirTag sends nothing to Apple.  The Apple iPhone/iPad/AppleWatch(?) picks up a unique BT ID, and THAT device talks to Apple.  All the AirTag does is broadcast its ID via BlueTooth for other Apple devices to pick up.

    The AirTag receives nothing from Apple - it only receives data from Apple devices (probably only the device it is paired with.)
    You really need to read up on how these tags (and others like it) work. They very clearly send data to Apple's servers as you can easily verify from your own AirTag or any number of articles and videos detailing how these work.

    To put another way, these do function as ad-hoc devices with BT and UWB when you're within range, but they also work over the internet with your iCloud account so you can locate these trackers when you aren't in range by having them link to other devices securely which will forward their location to Apple which will let you know where they were found.
    YOU really need to read up on how these tags (and others like it) work.  They only talk to an app on a listening device (Find My app on Apple products).  The tags can only broadcast BLE (BlueTooth LE) IDs.  That's why the Tile tags are worthless, unless they are within range of a device that has the Tile App installed - nobody is listening, if the app isn't installed.

    The locating over the internet is because the App (Find My) on the listening devices (iPhone/iPad) reports to Apple that it saw a tag ID (ID only), and what the location of the listening device was when it saw the tag.

    No listening app, and the tag can't communicate.  Period.
    1) Tile isn't worthless. They've worked for many years for many people. Just because Apple has had a product out for a week that is better doesn't mean their product has been worthless this whole time.

    2) Of course it needs an app (or more accurately a running service) to rely the data, but why do you think that's impossible to do on someone's device? Have you not followed a single article about people installing apps on other people's phones without their consent or developers purposely or unwittingly using code that had a nefarious purpose. I'd link to articles but seeing as how there are countless examples it's just easier for you to google it. I can link that site if you're unfamiliar.
    edited May 9 Soli
  • Reply 18 of 62
    nicholfdnicholfd Posts: 608member
    Xed said:
    nicholfd said:
    Xed said:
    nicholfd said:
    Xed said:
    rob53 said:
    So what. Someone who knows what they're doing can do the same thing to every computer ever made. The trick is to make these changes without being obvious. All those jumper wires are obvious. I'd like to see him put it back into the enclosure and try and pass it off as an unmodified AirTag. I'm still waiting for mine and this guy wastes "multiple" AirTags. 
    As the article mentioned, he can flash (i.e.: rewrite) the microcontroller and the wires are only used for power.

    This is an impressive accomplishment for a product that has been out for a week, and to neither see nor acknowledge this blows my mind.

    We have no idea what else could be done in the future. Nefarious users could figure out was to have it bypass sending or receiving data from Apple altogether, which could make this a very useful tool for certain people.

    While I doubt we'll see many doing this, that's not the point for even one person using these in an unintended way for evil is worth protecting against, so I hope Apple can push a way to protect the HW soon.
    The AirTag sends nothing to Apple.  The Apple iPhone/iPad/AppleWatch(?) picks up a unique BT ID, and THAT device talks to Apple.  All the AirTag does is broadcast its ID via BlueTooth for other Apple devices to pick up.

    The AirTag receives nothing from Apple - it only receives data from Apple devices (probably only the device it is paired with.)
    You really need to read up on how these tags (and others like it) work. They very clearly send data to Apple's servers as you can easily verify from your own AirTag or any number of articles and videos detailing how these work.

    To put another way, these do function as ad-hoc devices with BT and UWB when you're within range, but they also work over the internet with your iCloud account so you can locate these trackers when you aren't in range by having them link to other devices securely which will forward their location to Apple which will let you know where they were found.
    YOU really need to read up on how these tags (and others like it) work.  They only talk to an app on a listening device (Find My app on Apple products).  The tags can only broadcast BLE (BlueTooth LE) IDs.  That's why the Tile tags are worthless, unless they are within range of a device that has the Tile App installed - nobody is listening, if the app isn't installed.

    The locating over the internet is because the App (Find My) on the listening devices (iPhone/iPad) reports to Apple that it saw a tag ID (ID only), and what the location of the listening device was when it saw the tag.

    No listening app, and the tag can't communicate.  Period.
    1) Tile isn't worthless. They've worked for many years for many people. Just because Apple has had a product out for a week that is better doesn't mean their product has been worthless this whole time.

    2) Of course it needs an app (or more accurately a running service) to rely the data, but why do you think that's impossible to do on someone's device? Have you not followed a single article about people installing apps on other people's phones without their consent or developers purposely or unwittingly using code that had a nefarious purpose. I'd link to articles but seeing as how there are countless examples it's just easier for you to google it. I can link that site if you're unfamiliar.
    You need to improve your reading comprehension.

    I never said Tile is worthless.  I said, "That's why the Tile tags are worthless, unless they are within range of a device that has the Tile App installed - nobody is listening, if the app isn't installed."

    You were exclusively talking about AirTags not talking to Apple.  That is not possible with just the AirTag (no app).  NO app, no communication with anything, anywhere.
    fastasleeppscooter63qwerty52bloggerbloguraharakillroyroundaboutnow
  • Reply 19 of 62
    ppietrappietra Posts: 254member
    Xed said:
    ppietra said:
    Xed said:
    rob53 said:
    So what. Someone who knows what they're doing can do the same thing to every computer ever made. The trick is to make these changes without being obvious. All those jumper wires are obvious. I'd like to see him put it back into the enclosure and try and pass it off as an unmodified AirTag. I'm still waiting for mine and this guy wastes "multiple" AirTags. 
    As the article mentioned, he can flash (i.e.: rewrite) the microcontroller and the wires are only used for power.

    This is an impressive accomplishment for a product that has been out for a week, and to neither see nor acknowledge this blows my mind.

    We have no idea what else could be done in the future. Nefarious users could figure out was to have it bypass sending or receiving data from Apple altogether, which could make this a very useful tool for certain people.

    While I doubt we'll see many doing this, that's not the point for even one person using these in an unintended way for evil is worth protecting against, so I hope Apple can push a way to protect the HW soon.
    The wires that are mentioned are the ones seen in the video. Before that he had been testing components and flashing the microcontroller with another setup with far more wires. He didn’t hack wirelessly.
    Who said he hacked it wirelessly?
    I assumed that was what you meant when you said that wires are only used for power. But after paying more attention to "rob53" comment I now understand what you meant.
    edited May 9
  • Reply 20 of 62
    XedXed Posts: 973member
    nicholfd said:
    Xed said:
    nicholfd said:
    Xed said:
    nicholfd said:
    Xed said:
    rob53 said:
    So what. Someone who knows what they're doing can do the same thing to every computer ever made. The trick is to make these changes without being obvious. All those jumper wires are obvious. I'd like to see him put it back into the enclosure and try and pass it off as an unmodified AirTag. I'm still waiting for mine and this guy wastes "multiple" AirTags. 
    As the article mentioned, he can flash (i.e.: rewrite) the microcontroller and the wires are only used for power.

    This is an impressive accomplishment for a product that has been out for a week, and to neither see nor acknowledge this blows my mind.

    We have no idea what else could be done in the future. Nefarious users could figure out was to have it bypass sending or receiving data from Apple altogether, which could make this a very useful tool for certain people.

    While I doubt we'll see many doing this, that's not the point for even one person using these in an unintended way for evil is worth protecting against, so I hope Apple can push a way to protect the HW soon.
    The AirTag sends nothing to Apple.  The Apple iPhone/iPad/AppleWatch(?) picks up a unique BT ID, and THAT device talks to Apple.  All the AirTag does is broadcast its ID via BlueTooth for other Apple devices to pick up.

    The AirTag receives nothing from Apple - it only receives data from Apple devices (probably only the device it is paired with.)
    You really need to read up on how these tags (and others like it) work. They very clearly send data to Apple's servers as you can easily verify from your own AirTag or any number of articles and videos detailing how these work.

    To put another way, these do function as ad-hoc devices with BT and UWB when you're within range, but they also work over the internet with your iCloud account so you can locate these trackers when you aren't in range by having them link to other devices securely which will forward their location to Apple which will let you know where they were found.
    YOU really need to read up on how these tags (and others like it) work.  They only talk to an app on a listening device (Find My app on Apple products).  The tags can only broadcast BLE (BlueTooth LE) IDs.  That's why the Tile tags are worthless, unless they are within range of a device that has the Tile App installed - nobody is listening, if the app isn't installed.

    The locating over the internet is because the App (Find My) on the listening devices (iPhone/iPad) reports to Apple that it saw a tag ID (ID only), and what the location of the listening device was when it saw the tag.

    No listening app, and the tag can't communicate.  Period.
    1) Tile isn't worthless. They've worked for many years for many people. Just because Apple has had a product out for a week that is better doesn't mean their product has been worthless this whole time.

    2) Of course it needs an app (or more accurately a running service) to rely the data, but why do you think that's impossible to do on someone's device? Have you not followed a single article about people installing apps on other people's phones without their consent or developers purposely or unwittingly using code that had a nefarious purpose. I'd link to articles but seeing as how there are countless examples it's just easier for you to google it. I can link that site if you're unfamiliar.
    You need to improve your reading comprehension.

    I never said Tile is worthless.  I said, "That's why the Tile tags are worthless, unless they are within range of a device that has the Tile App installed - nobody is listening, if the app isn't installed."

    You were exclusively talking about AirTags not talking to Apple.  That is not possible with just the AirTag (no app).  NO app, no communication with anything, anywhere.
    I was clearly not talking exclusively about AirTags. I even suggested that other trackers are likely even easier to hack than Apple's.

    I don't know how many users Tile has, but it's substantial, especially since it can be used with Android, too. It's very possible that he AirTag firmware could be rewritten to talk disguise itself as a Tile and use its service, or even bypass all that by piggyback on one (or more) of the many and growing cloud APIs found in popular App Store apps that will make forensics very difficult.

    https://www.optiv.com/insights/discover/blog/insecure-api-cloud-computing-causes-and-solutions

    Yet another way for these to be used maliciously with sort of hack is like when hackers would leave USB drives with malware outside secure businesses for people to pick up knowing that a certain percentage of them would foolish insert them into their work computers to see what was on it to simple use. This hack to change the URL and then leave an AirTag where someone would then use the NFC lost mode to pull that new URL which would inject code which would take over an iPhone or other device. How many would verify the URL was coming from a trusted source first? How many times have we seen iOS exploits via Safari since its inception? At that point they don't even need to use a separate tracker to follow you and they know a lot more information about you at the same time.

    https://appleinsider.com/articles/21/03/18/hackers-used-7-zero-days-compromised-websites-to-infiltrate-ios

    Personally, I think it's a good thing researchers try to find weaknesses so that insecurities can be fortified before a real problem emerges, but I have no problem with you believing that nothing bad could ever happen outside the scope of what you've currently observed. That must be nice.
    edited May 9 Solidewme
Sign In or Register to comment.