Getting into a microcontroller essentially means being able both to investigate how the devices work (by analyzing the dumped firmware) and to reprogram them to do unexpected things. Stacksmashing demonstrated this by configuring an AirTag to pass a non-Apple URL while in Lost Mode.
The lost position is losing a little more
When AirTag is set to Status is lost, touching any NFC-enabled smartphone to the tag brings up a notification with a link to found.apple.com. The link allows anyone who finds a lost item to contact its owner, in the hope that it leads to the lost item finding its way home.
After breaching the microcontroller, stacksmashing was able to replace the URL found.apple.com with another URL. In the above display, the modified URL leads to stacksmashing.net. By itself, this is pretty harmless—but it can lead to a small increase in targeted malware attacks.
Tapping the AirTag won’t open the website it’s pointing to directly—the owner of the phone will need to see the notification, see the URL it’s leading to, and choose to open it anyway. An advanced attacker can also use this method to convince a specific high-value target to open a custom malware site—think of this as similar to well-known “crop killed a lot with flash drives” technique used by penetration testers.
AirTag’s privacy problems just got worse
AirTags have a serious privacy problem, especially when running stock firmware. The devices report their location quickly enough — thanks to the use of detection by any nearby iDevices, regardless of owner — to have significant potential as a stalker app.
It was not immediately clear how the firmware hack could change this threat landscape—but an attacker could, for example, find ways to disable the “Foreign AirTag” notification on nearby iPhones.
When a standard AirTag travels near an iPhone not for several hours, that iPhone receives a notification about the nearby tag. This hopefully reduces the viability of AirTags as a tracking tool—at least if the target carries an iPhone. Android users do not receive any notifications if a foreign AirTag is traveling with them, regardless of the length of time.
After about three days, the missing AirTag will start making an audible noise—which will alert a target to the tracking device’s presence. An attacker could modify the AirTag’s firmware to be silent instead, expanding the window of viability of the tag being hacked as a way to track down a victim.
Now that the first AirTag has been “jailbroken,” it looks like Apple will respond with server side effects to block non-standard AirTags from its network. Without access to Apple’s network, the usefulness of AirTag—whether for its intended purpose or as a tool to track down an unsuspecting victim—will become insignificant.
Image listing by stacksmashing