This weekend, the German security researcher declared stacksmashing success in breaking into, dumping and reflashing the microcontroller of Apple’s new AirTag object location product.
Breaking into the microcontroller essentially meant that you could both examine how the devices work (by analyzing the dumped firmware) and reprogram them to do unexpected things. Stacksmashing demonstrated this by reprogramming an AirTag to pass a non-Apple URL in lost mode.
Lost mode gets a little more lost
When an AirTag is set to Lost Mode, if you tap the tag with an NFC-enabled smartphone, a notification will appear with a link to found.apple.com. Via the link, the person who found the lost item can contact the owner, hopefully the lost item will find its way home.
After the microcontroller breach, stacksmashing was able to replace the found.apple.com URL with another URL. In the demonstration above, the changed URL leads to stacksmashing.net. In itself this is quite harmless, but it could lead to an extra small possibility to perform targeted malware attacks.
Tapping the AirTag doesn’t open the referenced website directly – the phone owner must see the notification, see the URL it leads to, and choose to open it anyway. An advanced attacker can still use this way to convince a specific high-value target to open a custom malware site. Think of this as similar to the well-known “seed the parking lot with flash drives” technique used by penetration testers.
AirTag’s privacy concerns have only gotten worse
AirTags already have a significant privacy issue, even if they use stock firmware. The devices report their location quickly enough – thanks to the use of detection by nearby iDevices, regardless of owner – to have significant potential as a tool for stalkers.
It’s not immediately clear how much hacking the firmware could change this threat landscape, but an attacker could, for example, look for ways to disable the “foreign AirTag” notification on nearby iPhones.
When a standard AirTag comes near an iPhone that it doesn’t belong to for a few hours, that iPhone gets a notification about the nearby tag. This hopefully reduces the viability of AirTags as a stalking tool, at least if the target is carrying an iPhone. Android users will not receive notifications when a foreign AirTag travels, regardless of the duration.
After about three days, a lost AirTag will begin to make an audible noise, which would alert a stalking target to the presence of the tracking device. A stalker can modify an AirTag’s firmware to go silent instead, increasing the hacked tag’s viability window as a way to track a victim.
Now that the first AirTag has been “jailbroken”, it seems likely that Apple will respond with server-side efforts to block non-standard AirTags from its network. Without access to Apple’s network, the usefulness of an AirTag — either for its intended purpose or as a tool to stalk an unwitting victim — would essentially become nil.
View image by stack smashing