Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
AirTag Successfully Hacked to Show Custom URL in Lost Mode
- Thread starter MacRumors
- Start date
- Sort by reaction score
OMG, you can modify every device in some ways if you gain physical access to it. Is everyone trying this hard to hack those tile or samsung things these days? I guess no, because those are not Apple products and nobody cares about them.
Why shouldn't I scan an AirTag? That's a tough one, but I'll take a shot. Say I'm working at Apple. Somebody puts an AirTag on my desk, something nobody else can scan. Maybe I take a shot at it and maybe I scan it. And I'm real happy with myself, cause I did my job well. But maybe that URL was the location of some rebel malware...
... on GeoCities or the Facebook. Once they have that location, they flood the browser where the malware was hiding and fifteen hundred cookies I never accepted, never had no problem with, get downloaded. Now the store managers are sayin', "Oh, send in the Genius Bar to secure the browser" cause they don't give a s**t. It won't be their phone over there, gettin' corrupted. Just like it wasn't them when their AirTag got scanned, cause they were pullin' a tour over at Best Buy. It'll be some kid from UPS takin' 30 pin connectors in the ***.
And he comes back to find that the store he used to work at got exported to the country he just got back from. And the guy who put the 30 pin connector in his a** got his old job, cause he'll work for fifteen cents a day and no Applecare. Meanwhile, he realizes the only reason he was over there in the first place was so we could install an iOS update that would sell us Apple watch bands at a good price. And, of course, the case manufacturers used the skirmish over there to scare up domestic case prices. A cute little ancillary benefit for them, but it ain't helping my buddy at two-hundred-fifty a keyboard case.
And they're takin' their sweet time bringin' the cases back, of course, and maybe even took the liberty of hiring an alcoholic skipper who likes to drink martinis and play slalom with the walls of the Suez canal, and it ain't too long 'til he hits one, spills the cases and kills all the sea life in the canal. So now my buddy's out of work and he can't afford to upgrade from his iPhone 5, so he's got to walk to the job interviews, which sucks cause the 30 pin connector in his a** is givin' him chronic disconnects. And meanwhile he's starvin', cause every time he tries to use his keyboard case to order Uber Eats, the only bluetooth connection he gets is to his HiFi.
So what did I think? I'm holdin' out for somethin' better.
I figure F it, while I'm at it why not just setup my buddy with a Chromebook, take his iPhone, give it to someone from Google, hike up AppStore prices, download some cookies, switch to Cortana, install Facebook Messenger and join the Geek Squad? I could be put in charge of Epic.
... on GeoCities or the Facebook. Once they have that location, they flood the browser where the malware was hiding and fifteen hundred cookies I never accepted, never had no problem with, get downloaded. Now the store managers are sayin', "Oh, send in the Genius Bar to secure the browser" cause they don't give a s**t. It won't be their phone over there, gettin' corrupted. Just like it wasn't them when their AirTag got scanned, cause they were pullin' a tour over at Best Buy. It'll be some kid from UPS takin' 30 pin connectors in the ***.
And he comes back to find that the store he used to work at got exported to the country he just got back from. And the guy who put the 30 pin connector in his a** got his old job, cause he'll work for fifteen cents a day and no Applecare. Meanwhile, he realizes the only reason he was over there in the first place was so we could install an iOS update that would sell us Apple watch bands at a good price. And, of course, the case manufacturers used the skirmish over there to scare up domestic case prices. A cute little ancillary benefit for them, but it ain't helping my buddy at two-hundred-fifty a keyboard case.
And they're takin' their sweet time bringin' the cases back, of course, and maybe even took the liberty of hiring an alcoholic skipper who likes to drink martinis and play slalom with the walls of the Suez canal, and it ain't too long 'til he hits one, spills the cases and kills all the sea life in the canal. So now my buddy's out of work and he can't afford to upgrade from his iPhone 5, so he's got to walk to the job interviews, which sucks cause the 30 pin connector in his a** is givin' him chronic disconnects. And meanwhile he's starvin', cause every time he tries to use his keyboard case to order Uber Eats, the only bluetooth connection he gets is to his HiFi.
So what did I think? I'm holdin' out for somethin' better.
I figure F it, while I'm at it why not just setup my buddy with a Chromebook, take his iPhone, give it to someone from Google, hike up AppStore prices, download some cookies, switch to Cortana, install Facebook Messenger and join the Geek Squad? I could be put in charge of Epic.
Sure, but the same exploit would work with anything. One could do it with a Tile, or just a regular Airtag that was next to your homemade beacon. To me, the big question is the wisdom of broadcasting a website, and especially opening a website that's being broadcast.
I never understand this constant nonsense about losing Airtags. There should be very little chance of this happening. Aren't most people buying them to put on their keyring? Aren't most people going to put them in their purse or wallet? Aren't others going to clip them to the inside of their luggage? Aren't the rest going to hook them to their pet's collar? If any of the above gets lost I would think people are more concerned about their keys, wallet, purse, luggage or pets getting lost over a $29 Airtag. Please stop these ridiculous posts about losing Airtags! It's not like people are buying them put lay on the table at work, a cafe or on a park bench. 🙄
Unless you're a high profile target. Then you just need to get the high profile target's kid to scan the airtag, infect his phone with a 0-day drive by, and suddenly you have network access to this high profile targets' home network.
Or perhaps you scan one, and then your network gets infected. Now you're part of a botnet responsible for DDoS or spam or whatever.
The point is that this isn't okay.
Apple should have waited another two years before releasing air tags. 
People need to calm down. This doesn’t mean airtags are unsafe or untrustworthy. i trust Apple.
It will add you to a list at a minimum.
They would need to require, all code running on an AirTag to be cryptographically signed. That would require changes to the hardware, not just the software.
I can imagine Airtag can be updated over the air with the user’s iPhone, if this hack can be patch via software. May not work though.
As I see it anything can be made malicious, given enough technology, time, or money. As I can imagine that one can hack a tile, or other tracking device. The problem is not that if you can or cannot do it, but if by doing it you turn anyone into a bad actor for the purpose of mischief.
So someone hacked something. I'm wondering what exactly.
So I attached my AirTag to my keys, lost them, put AirTag in lost mode. Nice guy with iPhone gets close to the AirTag, gets my keys, goes on Apple's website and probably finds out how to return my keys to me. Nasty guy with iPhone gets close to the AirTag, gets my keys, takes a hammer to smash up the AirTag, and throws my keys in the rubbish. Hacker with iPhone gets close to the AirTag and does exactly what? Takes my AirTag home, hacks it so it doesn't go to the Apple site, puts my AirTag and keys back where they came from, and the nice guy gets redirected to some website that can't do any harm to the nice guy's phone?
Or is the risk that the hacker buys four AirTags for $99.99, and four old rubbish guys, hacks the AirTags, drops AirTags + keys in the wild and waits... for what exactly? $99.99 for four shots of someone following a malicious link? Wow, if that is made public hackers will spend billions on AirTags to hack!
So I attached my AirTag to my keys, lost them, put AirTag in lost mode. Nice guy with iPhone gets close to the AirTag, gets my keys, goes on Apple's website and probably finds out how to return my keys to me. Nasty guy with iPhone gets close to the AirTag, gets my keys, takes a hammer to smash up the AirTag, and throws my keys in the rubbish. Hacker with iPhone gets close to the AirTag and does exactly what? Takes my AirTag home, hacks it so it doesn't go to the Apple site, puts my AirTag and keys back where they came from, and the nice guy gets redirected to some website that can't do any harm to the nice guy's phone?
Or is the risk that the hacker buys four AirTags for $99.99, and four old rubbish guys, hacks the AirTags, drops AirTags + keys in the wild and waits... for what exactly? $99.99 for four shots of someone following a malicious link? Wow, if that is made public hackers will spend billions on AirTags to hack!
What 0-day drive by? And how would you access my home network? And why on earth would you use an AirTag in between? New risk: If you attach an AirTag to a hammer and lose both, a burglar could find both and use the hammer to break into some house!
I just hope Apple release the AirTagAirPro soon—a device that attaches to AirTags so you can track and find them if/when you lose them.
/s
/s
As with most *proof of concept* exercises, they of themselves aren't what is interesting.
What follows, after being inspired by the *proof of concept* is usually where the real fun begins 😎
I had the same reaction...maybe there are some practical applications...but NFC tags are so much cheaper. I wonder if you hid an NFC tag in an air tag if it would still work.
Theoretically someone could hack an AirTag to show up to others phones as "lost", but instead of pointing to the Apple URL that assists in locating the owner of the tag, the URL would be changed to a custom one.
If that custom URL happened to contain a zero day vulnerability, then in theory your phone itself just got compromised/hacked by scanning a modified AirTag.
So it's possible a bad AirTag could compromise your phone. Lots of things are theoretically or actually possible. However, it's highly improbable anyone would go through all that work on an attack on the general population. Mainly because it would be silly to burn a zero day iOS exploit that would no doubt be quickly patched as soon as it gets used and discovered in this way. But if you were a high value target for someone? Sure - I could see sophisticated actors using something like this as an additional vector to target someone.
Actually this confirmation exists for the airtag as well, functionally this is a perfect comparison.