A German security researcher has shared how they managed to successfully hack an AirTag, which means that Apple’s location-tracking tags haven’t even made it to a month since launch without being jailbroken. In a post on Twitter, stacksmashing shared that he managed to break into the microcontroller of an AirTag—although he had to brick two units before succeeding at the third time of trying:
The microcontroller is basically the integrated circuit (IC) that is responsible for controlling devices. This means that access or control over this component allows a hacker to change what the device actually does.
For example, the researcher shared a demo video of how the AirTag could be modified to bring up a different URL when it is set in “Lost Mode”—and how it can be potentially used for malicious purposes. For some context, Lost Mode is essentially a setting that you can enable on your AirTag goes missing, and when found by an NFC-enabled device (iOS and Android included), users are supposed to be redirected to “found.apple.com” with information of the AirTag owner.
That’s just one example, and it isn’t yet clear what other dangers this vulnerability can pose to users. The most obvious possibility here is the potential for phishing, or malware, so it’s clear that this is something that the security team over at Apple will want to take seriously.
For now, Apple has yet to issue an official statement on the issue, so we’ll have to wait and see. Meanwhile, if you find a lost AirTag, be sure to only click on a redirected link if it brings you to an official Apple site. Check if everything is spelt correctly, and look out for any suspicious characters in the URL when you use a NFC device with a lost AirTag.
This isn’t the first time that AirTags have been modified… in a way. Earlier, users discovered that you could bypass the need for Apple’s rather expensive key rings, and simply drill a hole into the AirTags to tie them onto your personal belongings. We’ve also seen users “rebuilding” AirTags as cards that can be kept within wallets. It’s all pretty interesting, and once I get my hands on a set, I’ll be sure to share the experience with you guys.
So, what do you think? Let us know in the comment section below. If you already own AirTags, share your experience as well—I’d love to hear about them.