Security research finds a way to change how the AirTag's NFC function works when lost
Just a couple of weeks after the Apple AirTag arrived, a security researcher has already hacked into the possession-tracking gadget.
But far from being able to use the device maliciously, the researcher, who goes by the name of stacksmashing, has managed to change how the AirTag's NFC chip works when Lost Mode is enabled.
In normal use, an AirTag that has been remotely switched to Lost Mode by its owner will send a web address to any smartphone held close by. This web page, a part of Apple's Find My system, informs whoever discovers the lost AirTag that it is indeed lost, and shows a phone number for contacting the owner.
By breaking into an AirTag's microcontroller, the security researcher was able to extract the AirTag's firmware then re-flash the microcomputer with modified firmware. They were then able to edit the web address sent by a lost AirTag to a smartphone touched against it.
In a brief demonstration published on Twitter, the researcher showed how the hacked AirTag pointed an iPhone to their own website, instead of to Apple's Find My site. It isn't clear what else a hacker might be able to do with access to the microcontroller, as this example focuses on the NFC chip.
Built a quick demo: AirTag with modified NFC URL 😎
(Cables only used for power) pic.twitter.com/DrMIK49Tu0
— stacksmashing (@ghidraninja) May 8, 2021
However, getting this far wasn't simple, and the research admits they broke two AirTags before making the breakthrough.
In theory, the web address could be changed to something malicious, like a phishing scam or a malware download link. However, this would require a hacker to break into the AirTag, change the web address, then put that AirTag into lost mode and position it so that their target would discover it, then hold it to their smartphone and tap on the malicious link.
Given the AirTag is so new, most smartphone owners are still unlikely to know about holding a lost AirTag against their phone to help reunite it with its owner. Fewer still are then likely to tap on the non-Apple web address shown on-screen.
It will be interesting to see if Apple acknowledges this jailbreaking of the AirTag, and if it can prevent this demonstration from being replicated by making changes to the Find My system.
New Apple AirTag 4 Pack