Hackers Are Having a Field Day With AirTags

Last month, Apple released AirTags—and the hacking community is having a field day stress testing them. 

Apple is pitching the AirTag, a 1.26-inch circle that looks like an Apple-branded button, as the most secure and reliable way to track whatever object you don't want to lose: a backpack, keys, a purse, a wallet, or even a pet. AirTags use Bluetooth beacons to share their position to any iPhones nearby, which then transmit the AirTag position to its owner via the Find My app. 

In its first few weeks of release, hackers have rushed to break it down and do research on it, and see what's possible with this tech.

Following up on detailed teardowns from hardware researcher Colin O'Flynn and well known repair company iFixIt, Thomas Roth posted a lengthy video on YouTube where he breaks down the AirTag's innards. Roth, who is a hardware hacker who goes by Stacksmashing online, then explained how he found a way to modify the firmware in the AirTag—essentially jailbreaking it—to make it send a malicious URL to an iPhone that scans it with NFC.

In other words, Roth can now make an AirTag Rickroll an iPhone owner. 

"The AirTags ship in a state where you can not access the internal processor/microcontroller, because during manufacturing they locked the debug interfaces," Roth told Motherboard in an online chat. "I managed to re-activate the debug interface and dump the firmware from the AirTag."

Roth hacked the AirTag mostly because he was interested in its small Apple U1 chip, but he also thinks it could be possible to use its accelerometer as a microphone, turning the AirTag into a bugging device. Doing this would be similar to what security researcher MG did with iPhone cables, turning them into hacking devices. Roth stressed that this is theoretical, and he has not tested it. 

He said that he hopes this is the first step to allow people to do security research on the AirTag and the U1 chip. Of course, there was also a classic hacker motivation.

"Honestly, a big part was 'can I hack this,' and pure curiosity :)," he said. 

Roth isn't the only one. A series of security researchers have posted research, proof of concept attacks, and theoretical attacks that may be possible using AirTags. One blogger even used it for its intended purpose but in a pretty novel way—he mailed an AirTag and tracked it around the United Kingdom to learn more about mail routing. 

Fabian Bräunlein, a security researcher at Positive Security, found that it's possible to broadcast arbitrary data to nearby Apple devices via the Find My protocol, as he explained in a blog post. He did that by "spoofing many AirTags and encoding data in which AirTag is active." Then he made the device upload the data as part of reporting the location of the AirTag. 

Bräunlein thinks this, in theory, could be used to turn AirTags into low-bandwidth long-range communication devices, or to get around air-gapped networks. 

"I was curious whether Find My's Offline Finding network could be (ab)used to upload arbitrary data to the internet, from devices that are not connected to WiFi or mobile internet," Bräunlein told Motherboard in an online chat.

The researcher said he found the AirTag to be "cryptographically well designed."

At the same time, Bräunlein said that Apple could change the design in a way to limit the "misuse potential." 

Apple did not respond to a request for comment.

In general, neither Bräunlein nor Roth's research should raise any alarm for AirTag owners. This is just hackers or security researchers doing their job, and their findings don't show any immediate risk. Still, it's interesting to see how quickly researchers were able to jailbreak the AirTag and find some issues with it. 

Subscribe to our cybersecurity podcast CYBER, here.