AirTag Successfully Hacked to Show Custom URL in Lost Mode

[MacRumors]

The inevitable race to hack Apple's AirTag item tracker has reportedly been won by a German security researcher, who managed to break into the device's microcontroller and successfully modify its firmware.

https://twitter.com/x/status/1391148503196438529

Thomas Roth, aka Stack Smashing, shared his achievement in a tweet and explained that re-flashing the device's microcontroller had enabled him to change the URL for Lost Mode, so that it opens his personal website on a nearby iPhone or other NFC-enabled device instead of directly linking to an official Find My web address.

Managing to break into the microcontroller is a crucial hurdle to overcome to if the aim is to further manipulate the device's hardware. As The 8-Bit notes:

A microcontroller is an integrated circuit (IC) used for controlling devices usually via a microprocessing unit, memory, and other peripherals. According to AllAboutCircuits, "these devices are optimized for embedded applications that require both processing functionality and agile, responsive interaction with digital, analog, or electromechanical components."

Roth also shared a video comparing a normal AirTag to his modified device.

https://twitter.com/x/status/1391165711448518658

How the hack might be exploited in the wild is unclear at this time, but the fact that it can be done may open up avenues for the jailbreaking community to customize the device in ways Apple didn't intend. On a darker note, it could also present opportunities for bad actors to modify the AirTag software for the purposes of phishing and more.

That's assuming Apple isn't able to remotely block such a modified AirTag from communicating with the Find My network. Alternately, Apple might be able to lock down the firmware in a future AirTag software update. Watch this space.

Article Link: AirTag Successfully Hacked to Show Custom URL in Lost Mode

 

[tomekwsrod]

So if you lose your AirTag and then find it after one day for example, you cannot trust it anymore? Or if you find someones AirTag should you be also wary of placing it near your own phone? This gets interesting.

 

[EfratBarTal]

AirOS?

 

[the_max0r]

I've been following stacksmashing's YouTube channel for a while now and this story is just great!

 

[hellosil]

So far its like a QR code that leads you to a custom url, its danger it being a phishing site.

The real test would be if an AirTag can emulate another AirTag.
So cloning one, and making the second one fake the originals location, sort of like a doppelgänger.

 

[Jumpinbeans]

Basically if you find an airtag and don't know why its there or who it belongs to and its not worth scanning as it may be compromised - smash it

 

[szw-mapple fan]

So if you lose your AirTag and then find it after one day for example, you cannot trust it anymore? Or if you find someones AirTag should you be also wary of placing it near your own phone? This gets interesting.

This won't apply to the vast vast majority of users. It's a security exercise that's just to prove it's possible. People who needs to be worried about this type of exploits won't be using any trackers of this type anyways.

 

[dz5b609]

That's not good.

 

[TheOldChevy]

As long as the sole purpose of your AirTag is to track yours keys or your remote control, this is not really dangerous. The AirTag does not carry other data than its own position. And today it could already be replaced by a similar AirTag without you noticing it. The only thing that could be done is disable its loudspeaker so that you don't know if you are tracked by someone else.

But I can imagine that the AirTag will evolve and carry more features in a near future.

 

[snorkelman]

Basically if you find an airtag and don't know why its there or who it belongs to and its not worth scanning as it may be compromised - smash it

Don't just smash it, smash it with fire!!

 

[NoIdentity]

O guess if tou find an airtah and don’t trust it, you could always take it to the authorities or an Apple store/resseler/service and let them deal with the lost property.

takimg lost things to the authorities is anyway what one should do for most things, having the airtag just makes the return possibile.

 

[centauratlas]

This won't apply to the vast vast majority of users. It's a security exercise that's just to prove it's possible. People who needs to be worried about this type of exploits won't be using any trackers of this type anyways.

The scenario is: modify your airtag to have a URL to a compromised site (phishing or a drive by site like the ones patched in the last update). Anyone who then scans it can be compromise. Drop it at a company's corporate headquarters by the security office or by the CEO's (BoD's, executives, maintenance, food, coffee provider etc) car (or any other office) and then eventually someone will scan it. They then enter the office, join wifi etc with a compromised device which can scan for unprotected devices, monitor network traffic etc. Likewise, their credentials will be then compromised making further intrusions easier.

It is like any machine, with physical access most things can be compromised. This just increases the attack vectors for people who pick them up.

 

[MVMNT]

That's a load of people never buying one second hand from now on...

 

[krewger]

So…. It’s been hacked to be a customizable nfc tag. Looks like a lot of trouble to go through. I could also just put new nfc tags inside the AirTag’s case and accomplish the same thing. Security on your personal device is already in place - the link is displayed on the phone asking if you want to open it first before visiting the URL. https://electronics.howstuffworks.com/nfc-tag.htm

 

[acconda81]

in that case I will be ignoring any notifications from them.

 

[swm]

just wanted to point out, that essentially you can just roll your own honeypot hw - it just needs to fit into something that _looks_ like an AirTag. no need for hacks.
and you can use less complicated ways to get your alternative URL to where it belongs.

either way, it's just like a 'malicious' QR code. maybe the only difference is that the built-in reader in camera app asks you for a confirmation before visiting the decoded URL.

 

[mazz0]

So if you lose your AirTag and then find it after one day for example, you cannot trust it anymore? Or if you find someones AirTag should you be also wary of placing it near your own phone? This gets interesting.

I don't think that's fair. All they've compromised is the NFC URL, and you're shown that before opening it anyway. I suppose all this means is continue checking URLs before you open them (and Apple does a pretty good job of showing you the actual domain you're being directed to).

 

[mpkayeuk]

The scenario is: modify your airtag to have a URL to a compromised site (phishing or a drive by site like the ones patched in the last update). Anyone who then scans it can be compromise. Drop it at a company's corporate headquarters by the security office or by the CEO's (BoD's, executives, maintenance, food, coffee provider etc) car (or any other office) and then eventually someone will scan it. They then enter the office, join wifi etc with a compromised device which can scan for unprotected devices, monitor network traffic etc. Likewise, their credentials will be then compromised making further intrusions easier.

It is like any machine, with physical access most things can be compromised. This just increases the attack vectors for people who pick them up.

Anyone who then scans it can be compromised? How, exactly? Phishing generally requires a user to respond to a request that is verifiable as dubious. I don't see how this is any different to any other phishing attempt, except a million times harder for the bad actor to actually implement.

 

[locrumo]

This guy may could hack TouchID in Iphones 12 in the near future.

 

[Puonti]

The AirTag does not carry other data than its own position.

I don't believe this is accurate. As I understand it:

An AirTag does not know where it is. All it does for location tracking is transmit radio waves. Devices that do know where they are can detect the AirTag, and then tell the FindMy network "I am at this location, and hey there's an AirTag here".

 

[Octopuss]

Basically if you find an airtag and don't know why its there or who it belongs to and its not worth scanning as it may be compromised - smash it

I can simplify this: "if you find an airtag - smash it"
Doesn't apply to Apple Store. Or does.

 

[duanepatrick]

Another 'costly' way for a phishing avenue or new mode of advertising. Lol.

As long as the link will show before I tap it, no worries for me.

 

[Unregistered 4U]

Next up from security researchers
“SWALLOWING AIRTAGS COULD COMPROMISE YOUR DIGESTIVE SYSTEM… WHAT YOU NEED TO KNOW”
or
“if you glue your house key to your airtag and then lose it, AIRTAGS COULD ALLOW SOMEONE ENTRY INTO YOUR HOUSE!”

 

[MrGuder]

All of this work for a airtag 😂
Why? Lol

 

[Corsig]

So there is no way for Apple to fix this?