Security researcher successfully hacks and jailbreaks an Apple AirTag
Apple’s new AirTags are an easily accessible tool for keeping track of things that have a nasty habit of getting lost, but the devices have already been criticized for potential privacy concerns. Those criticisms may grow stronger thanks to a German hacker who recently hacked into an AirTag, dumped the device’s firmware, and successfully jailbroke the device.
German security research stacksmashing published a video on YouTube today highlighting the hack. Essentially, stacksmashing used voltage-based fault injection, more commonly known as “glitching,” to trick the AirTag into a debug mode. By attaching a Raspberry Pi Pico (which costs about US$4) and an n-channel MOSFET to a capacitor connected directly to the AirTag’s CPU core, he successfully interrupted the CPU’s timing and accessed the device’s firmware via a special debugger.
After dumping the firmware, stacksmashing was able to reflash the AirTag with a custom firmware that changed the URL sent by the AirTag when it is NFC scanned. Normally, an AirTag will direct the scanner to an Apple-owned website that gives the owner’s phone number and a customizable message. However, stacksmashing was able to force the AirTag to (of course) route a scanner to the YouTube video of Rick Astley’s meme-famous song Never Gonna Give You Up.
An interesting point of the hack is that once he obtained one device’s firmware, stacksmashing was able to reflash any other AirTag and inject whatever firmware he pleased. In other words, the injection method theoretically works for all AirTags on the market at this point.
While this experiment is an interesting study into the vulnerabilities of Apple AirTags, it opens the door to potentially malicious uses. An AirTag’s alert systems could be disabled, or the device could be reflashed to direct a scanner toward a malicious website. It seems that, as with practically all of our digital devices, the electronics in our pockets are not as secure as we think they are.
What are your thoughts on the new AirTag jailbreak? Let us know in the comments below.