Image: stacksmashing/YouTube
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.
Advertisement
Following up on detailed teardowns from hardware researcher Colin O'Flynn and well known repair company iFixIt, Thomas Roth posted a lengthy video on YouTube where he breaks down the AirTag's innards. Roth, who is a hardware hacker who goes by Stacksmashing online, then explained how he found a way to modify the firmware in the AirTag—essentially jailbreaking it—to make it send a malicious URL to an iPhone that scans it with NFC.In other words, Roth can now make an AirTag Rickroll an iPhone owner. "The AirTags ship in a state where you can not access the internal processor/microcontroller, because during manufacturing they locked the debug interfaces," Roth told Motherboard in an online chat. "I managed to re-activate the debug interface and dump the firmware from the AirTag."Roth hacked the AirTag mostly because he was interested in its small Apple U1 chip, but he also thinks it could be possible to use its accelerometer as a microphone, turning the AirTag into a bugging device. Doing this would be similar to what security researcher MG did with iPhone cables, turning them into hacking devices. Roth stressed that this is theoretical, and he has not tested it."Honestly, a big part was 'can I hack this,' and pure curiosity :)"
Advertisement
Advertisement
The researcher said he found the AirTag to be "cryptographically well designed."At the same time, Bräunlein said that Apple could change the design in a way to limit the "misuse potential." Apple did not respond to a request for comment.In general, neither Bräunlein nor Roth's research should raise any alarm for AirTag owners. This is just hackers or security researchers doing their job, and their findings don't show any immediate risk. Still, it's interesting to see how quickly researchers were able to jailbreak the AirTag and find some issues with it. Subscribe to our cybersecurity podcast CYBER, here.Do you research vulnerabilities on Apple's products? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzofb@vice.com