Apple AirTag Was Hacked and Successfully Reprogrammed at Will

• A researcher managed to break in the Apple AirTag firmware and change the code.
• In one example, the researcher shows a notification generated by the modified AirTag, displaying a URL under his control.
• There’s a possibility for more malicious potential, but Apple should step in to fix the issue before it gets out of hand.

A German researcher has finally managed to break into the Apple AirTag microcontroller and then proceeded to reflash it with modified firmware. What this means is that the researcher found a working method to make the device run any code, as long as it is supported by its admittedly weak yet theoretically capable hardware.

Yesss!!! After hours of trying (and bricking 2 AirTags) I managed to break into the microcontroller of the AirTag! 🥳🥳🥳

/cc @colinoflynn @LennertWo pic.twitter.com/zGALc2S2Ph

— stacksmashing (@ghidraninja) May 8, 2021

The researcher tried hard, bricked two devices, and eventually did it. In a demonstration of this success, the researcher shows the modification of the URL included on notifications generated when the AirTag is put in “Lost” mode, adding his own website on the pop up instead of the “default” Apple site. Of course, that’s only an example, and one could do way more dangerous things than displaying an innocuous site.

Built a quick demo: AirTag with modified NFC URL 😎

(Cables only used for power) pic.twitter.com/DrMIK49Tu0

— stacksmashing (@ghidraninja) May 8, 2021

Some people immediately wondered if the speaker, 32MB of memory, and the accelerometer available in an AirTag can be used to turn the device into a covert audio recorder. Recording sound by using accelerometers is possible, but it’s not free of technical complications and challenges. It also depends on how the PCB of the device is mounted, how tight the enclosure is, etc. The researcher promised to look into this possibility at a later stage, so we’ll learn about that soon.

The AirTag was released in the market only ten days ago, and it’s already been hacked. We’re not saying that Apple touted it as the most secure device ever, and there’s obviously no way to include a dedicated security chip in it, etc., but this says a lot about the power of determination in hacking.

Also, this forces Apple’s engineers to take remediation steps almost immediately after the product launch. The urgency depends on how useful and dangerous the cracking potential of the small device is going to be, but ignoring the researcher’s findings will be impossible.