Apple’s AirTag tracker hasn’t even been out for a week yet, but the conversation surrounding the product hasn’t really gone the way that the company would have preferred. Not long after the AirTag was announced, privacy groups were already sounding the alarm about potential malicious use cases, warning that abusive partners could use the device to keep track of their victims. This was backed up by a Washington Post report which found that the AirTag made it “frighteningly easy” to stalk someone, and that the built-in security measures were not sufficient.
Needless to say, this wasn’t exactly how Apple wanted the first weeks of the AirTag’s existence to go, but to top it all off, someone decided to hack the tracker over the weekend as well. On Saturday, IT security research and YouTube content creator stacksmashing announced on Twitter that he had “managed to break into the microcontroller of the AirTag.” He was then able to re-flash the microcontroller and modify elements of the AirTag software.
In the video below, you can see that the researcher was able to modify the URL that appears in the notification when the AirTag is in Lost Mode and comes into contact with another NFC-enabled device. Whereas the AirTag notification normally redirects users to “found.apple.com” and displays information related to the owner, the researcher was able to edit the notification and have it redirect to his own website instead:
Built a quick demo: AirTag with modified NFC URL 😎
(Cables only used for power) pic.twitter.com/DrMIK49Tu0
— stacksmashing (@ghidraninja) May 8, 2021
This is a relatively innocent outcome, but it’s unclear how much further a driven hacker could push the device or bend it to their will. The researcher also noted that he bricked two AirTag trackers in the process of trying to break into the microcontroller, so it doesn’t appear to be especially simple to do so. That said, now that he has accomplished it, curious tinkerers will undoubtedly figure out how to do the same without bricking their own AirTags.
Whatever the case, as inevitable as a jailbroken AirTag might have been, this will likely raise concerns among those who want to use the AirTag to keep track of important items such as keys, luggage, or bikes. As Apple blog The 8-Bit notes, there’s a good chance that Apple could block hacked AirTags on the Find My network to make them effectively useless. This may discourage people from attempting jailbreaks of their own and hopefully keep unaware passersby safe from hacked AirTags that might try to trick them into visiting malicious websites.
If you want to see more from security researcher smashstacking, you should probably start with this YouTube video about playing multiplayer Game Boy games online, which is even cooler than it sounds: