Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
67,957
38,669


The inevitable race to hack Apple's AirTag item tracker has reportedly been won by a German security researcher, who managed to break into the device's microcontroller and successfully modify its firmware.


Thomas Roth, aka Stack Smashing, shared his achievement in a tweet and explained that re-flashing the device's microcontroller had enabled him to change the URL for Lost Mode, so that it opens his personal website on a nearby iPhone or other NFC-enabled device instead of directly linking to an official Find My web address.

Managing to break into the microcontroller is a crucial hurdle to overcome to if the aim is to further manipulate the device's hardware. As The 8-Bit notes:
A microcontroller is an integrated circuit (IC) used for controlling devices usually via a microprocessing unit, memory, and other peripherals. According to AllAboutCircuits, "these devices are optimized for embedded applications that require both processing functionality and agile, responsive interaction with digital, analog, or electromechanical components."
Roth also shared a video comparing a normal AirTag to his modified device.


How the hack might be exploited in the wild is unclear at this time, but the fact that it can be done may open up avenues for the jailbreaking community to customize the device in ways Apple didn't intend. On a darker note, it could also present opportunities for bad actors to modify the AirTag software for the purposes of phishing and more.

That's assuming Apple isn't able to remotely block such a modified AirTag from communicating with the Find My network. Alternately, Apple might be able to lock down the firmware in a future AirTag software update. Watch this space.

Article Link: AirTag Successfully Hacked to Show Custom URL in Lost Mode
 
So far its like a QR code that leads you to a custom url, its danger it being a phishing site.

The real test would be if an AirTag can emulate another AirTag.
So cloning one, and making the second one fake the originals location, sort of like a doppelgänger.
 
Last edited:
So if you lose your AirTag and then find it after one day for example, you cannot trust it anymore? Or if you find someones AirTag should you be also wary of placing it near your own phone? This gets interesting.
This won't apply to the vast vast majority of users. It's a security exercise that's just to prove it's possible. People who needs to be worried about this type of exploits won't be using any trackers of this type anyways.
 
As long as the sole purpose of your AirTag is to track yours keys or your remote control, this is not really dangerous. The AirTag does not carry other data than its own position. And today it could already be replaced by a similar AirTag without you noticing it. The only thing that could be done is disable its loudspeaker so that you don't know if you are tracked by someone else.

But I can imagine that the AirTag will evolve and carry more features in a near future.
 
O guess if tou find an airtah and don’t trust it, you could always take it to the authorities or an Apple store/resseler/service and let them deal with the lost property.

takimg lost things to the authorities is anyway what one should do for most things, having the airtag just makes the return possibile.
 
This won't apply to the vast vast majority of users. It's a security exercise that's just to prove it's possible. People who needs to be worried about this type of exploits won't be using any trackers of this type anyways.

The scenario is: modify your airtag to have a URL to a compromised site (phishing or a drive by site like the ones patched in the last update). Anyone who then scans it can be compromise. Drop it at a company's corporate headquarters by the security office or by the CEO's (BoD's, executives, maintenance, food, coffee provider etc) car (or any other office) and then eventually someone will scan it. They then enter the office, join wifi etc with a compromised device which can scan for unprotected devices, monitor network traffic etc. Likewise, their credentials will be then compromised making further intrusions easier.

It is like any machine, with physical access most things can be compromised. This just increases the attack vectors for people who pick them up.
 
So…. It’s been hacked to be a customizable nfc tag. Looks like a lot of trouble to go through. I could also just put new nfc tags inside the AirTag’s case and accomplish the same thing. Security on your personal device is already in place - the link is displayed on the phone asking if you want to open it first before visiting the URL. https://electronics.howstuffworks.com/nfc-tag.htm
 
just wanted to point out, that essentially you can just roll your own honeypot hw - it just needs to fit into something that _looks_ like an AirTag. no need for hacks.
and you can use less complicated ways to get your alternative URL to where it belongs.

either way, it's just like a 'malicious' QR code. maybe the only difference is that the built-in reader in camera app asks you for a confirmation before visiting the decoded URL.
 
So if you lose your AirTag and then find it after one day for example, you cannot trust it anymore? Or if you find someones AirTag should you be also wary of placing it near your own phone? This gets interesting.
I don't think that's fair. All they've compromised is the NFC URL, and you're shown that before opening it anyway. I suppose all this means is continue checking URLs before you open them (and Apple does a pretty good job of showing you the actual domain you're being directed to).
 
The scenario is: modify your airtag to have a URL to a compromised site (phishing or a drive by site like the ones patched in the last update). Anyone who then scans it can be compromise. Drop it at a company's corporate headquarters by the security office or by the CEO's (BoD's, executives, maintenance, food, coffee provider etc) car (or any other office) and then eventually someone will scan it. They then enter the office, join wifi etc with a compromised device which can scan for unprotected devices, monitor network traffic etc. Likewise, their credentials will be then compromised making further intrusions easier.

It is like any machine, with physical access most things can be compromised. This just increases the attack vectors for people who pick them up.
Anyone who then scans it can be compromised? How, exactly? Phishing generally requires a user to respond to a request that is verifiable as dubious. I don't see how this is any different to any other phishing attempt, except a million times harder for the bad actor to actually implement.
 
The AirTag does not carry other data than its own position.
I don't believe this is accurate. As I understand it:

An AirTag does not know where it is. All it does for location tracking is transmit radio waves. Devices that do know where they are can detect the AirTag, and then tell the FindMy network "I am at this location, and hey there's an AirTag here".
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.