Notebookcheck Logo
, , , , , ,
search relation.
, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Security researcher successfully hacks and jailbreaks an Apple AirTag

The Apple AirTag has been jailbroken. That didn't take long. (Image via Apple w/ edits)
The Apple AirTag has been jailbroken. That didn't take long. (Image via Apple w/ edits)
A German security researcher who goes by the alias "stacksmashing" posted a YouTube video detailing how he was able to dump the firmware of an Apple AirTag. Furthermore, he was able to inject a custom firmware that changed the AirTag's "Lost Mode" function. This could open the door to more malicious jailbreaks of AirTags in the future.

Apple’s new AirTags are an easily accessible tool for keeping track of things that have a nasty habit of getting lost, but the devices have already been criticized for potential privacy concerns. Those criticisms may grow stronger thanks to a German hacker who recently hacked into an AirTag, dumped the device’s firmware, and successfully jailbroke the device.

German security research stacksmashing published a video on YouTube today highlighting the hack. Essentially, stacksmashing used voltage-based fault injection, more commonly known as “glitching,” to trick the AirTag into a debug mode. By attaching a Raspberry Pi Pico (which costs about US$4) and an n-channel MOSFET to a capacitor connected directly to the AirTag’s CPU core, he successfully interrupted the CPU’s timing and accessed the device’s firmware via a special debugger.

After dumping the firmware, stacksmashing was able to reflash the AirTag with a custom firmware that changed the URL sent by the AirTag when it is NFC scanned. Normally, an AirTag will direct the scanner to an Apple-owned website that gives the owner’s phone number and a customizable message. However, stacksmashing was able to force the AirTag to (of course) route a scanner to the YouTube video of Rick Astley’s meme-famous song Never Gonna Give You Up.

An interesting point of the hack is that once he obtained one device’s firmware, stacksmashing was able to reflash any other AirTag and inject whatever firmware he pleased. In other words, the injection method theoretically works for all AirTags on the market at this point.

While this experiment is an interesting study into the vulnerabilities of Apple AirTags, it opens the door to potentially malicious uses. An AirTag’s alert systems could be disabled, or the device could be reflashed to direct a scanner toward a malicious website. It seems that, as with practically all of our digital devices, the electronics in our pockets are not as secure as we think they are.

What are your thoughts on the new AirTag jailbreak? Let us know in the comments below.

Buy an Apple AirTag (single or 4 pack) at Amazon.

Read all 1 comments / answer
static version load dynamic
Loading Comments
Comment on this article
Sam Medley
Sam Medley - Senior Tech Writer - 1172 articles published on Notebookcheck since 2016
I've been a computer geek my entire life. After graduating college with a degree in Mathematics, I worked in finance and banking a few years before taking a job as a database administrator. I started working with Notebookcheck in October of 2016 and have enjoyed writing news and reviews. I've also written for other outlets including UltrabookReview and GeeksWorldWide, focusing on consumer guidance and video gaming. My areas of interest include the business side of technology, retro gaming, Linux, and innovative gadgets. When I'm not writing on electronics or tinkering with a device, I'm either outside with my family, enjoying a decade-old video game, or playing drums or piano.
Please share our article, every link counts!
> Notebook / Laptop Reviews and News > News > News Archive > Newsarchive 2021 05 > Security researcher successfully hacks and jailbreaks an Apple AirTag
Sam Medley, 2021-05-12 (Update: 2021-05-12)