Apple's Tiny New Gadget Turns Into a Nightmare for Us All as Hacker Breaks In, Reveals What He Thinks It Can Do
Keep losing your keys? There’s an Apple device for that: the new AirTags, which can be attached to things you frequently lose so you can find them easily.
“AirTag is a supereasy way to keep track of your stuff,” Apple’s website reads.
“Attach one to your keys, slip another in your backpack. And just like that, they’re on your radar in the Find My app, where you can also track down your Apple devices and keep up with friends and family.”
Got my AirTag today and I’m loving it! #Apple #Airtags pic.twitter.com/wEYgW6asqM
— Al Fern (@TheAlFern) May 15, 2021
According to Apple’s website, the $30 tag “sends out a secure Bluetooth signal that can be detected by nearby devices in the Find My network. These devices send the location of your AirTag to iCloud — then you can go to the Find My app and see it on a map. The whole process is anonymous and encrypted to protect your privacy. And itʼs efficient, so thereʼs no need to worry about battery life or data usage.”
Unfortunately, that’s not quite the only thing the AirTag can do, as Vice’s Motherboard noted in a Thursday story.
Thomas Roth, who goes by the online sobriquet Stacksmashing, told the publication he found a way to hack into the hardware of the AirTag and have it send a malicious NFC, or near-field communication, signal to your device. If it comes close enough to your iPhone, it can direct it to a malicious URL.
Yesss!!! After hours of trying (and bricking 2 AirTags) I managed to break into the microcontroller of the AirTag! ???
/cc @colinoflynn @LennertWo pic.twitter.com/zGALc2S2Ph
— stacksmashing (@ghidraninja) May 8, 2021
Here’s Roth demonstrating it in a decidedly non-malicious way, by using the AirTag to “Rickroll” an iPhone. (If you don’t know what the “Rickrolling” meme is, I’m not quite sure whether to consider you out of the loop, lucky or both. Basically, it’s a prank where you pretend you’re sending someone a link to an important or on-topic article. Instead, you’re sending them a link to the music video for the 1987 Rick Astley hit “Never Gonna Give You Up,” which hasn’t aged well.)
Be careful when scanning untrusted AirTags or this might happen to you? pic.twitter.com/LkG5GkvR48
— stacksmashing (@ghidraninja) May 9, 2021
“The AirTags ship in a state where you can not access the internal processor/microcontroller, because during manufacturing they locked the debug interfaces,” Roth told Vice in an online chat. “I managed to re-activate the debug interface and dump the firmware from the AirTag.”
“Honestly, a big part was ‘can I hack this,’ and pure curiosity,” he continued, adding in a smiley face.
To paraphrase Mr. Astley’s witless lyrics, a full commitment to ethical behavior seems to be what Roth is thinking of here, but you’re not going to get that from just any other hacker. Others seem to have caught on to the fact the AirTags aren’t impenetrable.
“Fabian Bräunlein, a security researcher at Positive Security, found that it’s possible to broadcast arbitrary data to nearby Apple devices via the Find My protocol, as he explained in a blog post,” Vice reported. “He did that by ‘spoofing many AirTags and encoding data in which AirTag is active.’ Then he made the device upload the data as part of reporting the location of the AirTag.
“Bräunlein thinks this, in theory, could be used to turn AirTags into low-bandwidth long-range communication devices, or to get around air-gapped networks.”
“I was curious whether Find My’s Offline Finding network could be (ab)used to upload arbitrary data to the internet, from devices that are not connected to WiFi or mobile internet,” Bräunlein said. While he found the AirTags were “cryptographically well designed,” he said Apple could take steps to stop “misuse potential.”
While neither of these hacks are worrisome, unless you particularly dislike Rick Astley, they show the AirTags aren’t entirely secure — and keep in mind, hobbyist hackers don’t have a financial stake in exploiting the AirTags and are much more willing to advertise their exploits.
There’s another security issue with the AirTags, too — and it doesn’t even involve hacking.
As The Washington Post’s Geoffrey Fowler wrote in a May 5 column, the AirTags make it “frighteningly easy” to allow individuals to be stalked.
“To discourage what it calls ‘unwanted tracking,’ Apple built technology into AirTags to warn potential victims, including audible alarms and messages about suspicious AirTags that pop up on iPhones,” he wrote. “To put Apple’s personal security protections to the test, my colleague Jonathan Baran paired an AirTag with his iPhone, slipped his tag in my backpack (with my permission), and then tracked me for a week from across San Francisco Bay.”
“I got multiple alerts: from the hidden AirTag and on my iPhone. But it wasn’t hard to find ways an abusive partner could circumvent Apple’s systems. To name one: The audible alarm only rang after three days — and then it turned out to be just 15 seconds of light chirping. And another: While an iPhone alerted me that an unknown AirTag was moving with me, similar warnings aren’t available for the roughly half of Americans who use Android phones.”
Furthermore: “After placing an AirTag in my bag, my colleague was able to find my whereabouts with remarkable precision. Once he associated the AirTag with his iPhone, the tag’s location showed up in an iPhone app called Find My, included free with iPhones. (It started as a way to find lost Apple products and has now expanded to other things.)”
Fowler called the devices “a new means of inexpensive, effective stalking.”
Apple maintains the AirTags are both secure and difficult for stalkers to use.
“These are an industry-first, strong set of proactive deterrents,” Kaiann Drance, Apple’s vice president of iPhone marketing, said. “It’s a smart and tunable system, and we can continue improving the logic and timing so that we can improve the set of deterrents.”
To be fair, this actually isn’t new. Fowler noted that an AirTag competitor, Tile, provides none of the protections Apple has built in. However, AirTags are the first product of this kind manufactured by one of Silicon Valley’s biggest players — and, for stalkers who may not have even considered using a tracking device before, it could be an unpleasant introduction to a new method of digital stalking.
Yes, this could all be needless alarmism. If it isn’t, however, the AirTag could end up being a $30 Pandora’s box.
Truth and Accuracy
We are committed to truth and accuracy in all of our journalism. Read our editorial standards.
