Breaking into the microcontroller essentially meant being able to both examine how the devices were working (by analyzing the offloaded firmware) and reprogramming them to do unexpected things. Stacksmashing demonstrated this by reprogramming an AirTag to pass a non-Apple URL in lost mode.
Lost mode is lost a little more
When an AirTag is set to Lost modeWhen you tap an NFC-enabled smartphone, you’ll see a notification with a link to found.apple.com. Via the link, anyone who has found the lost item can contact its owner, which will hopefully lead to the lost item finding its way home.
After violating the microcontroller, Stacksmashing was able to replace the url found.apple.com with another url. In the demonstration above, the changed URL leads to stacksmashing.net. In itself, this is pretty harmless – but it could lead to an additional small avenue for targeted malware attacks.
Tapping the AirTag does not directly open the referenced website. The owner of the phone needs to view the notification, view the url it leads to, and open it anyway. An advanced attacker could still use this avenue to convince a certain high quality target to open a custom malware site.Seed the parking lot with flash drives“Technique used by penetration testers.
AirTag’s privacy issues have only gotten worse
AirTags already have a significant privacy problem even when running standard firmware. The devices report their location quickly enough – thanks to detection by iDevices nearby, regardless of the owner – to have significant potential as stalkers Tool.
It is not immediately clear to what extent hacking the firmware could change this threat landscape – but an attacker could, for example, look for ways to disable the “foreign AirTag” message for nearby iPhones.
If a standard AirTag moves near an iPhone that it doesn’t belong to for several hours, that iPhone will receive a notification of the nearby tag. Hopefully this will reduce AirTags’ viability as a stalking tool – at least if the target is carrying an iPhone. Android users will not receive notifications when a foreign AirTag is on their way, regardless of the length of time.
After approximately three days, a lost AirTag will make an audible noise – which will alert a stalking target to the presence of the tracking device. A stalker can modify an AirTag’s firmware to instead remain silent and expand the hacked tag’s viability window to track a victim.
After the first AirTag is jailbroken, Apple will likely respond with server-side efforts to block non-standard AirTags from its network. Without access to the Apple network, the usefulness of an AirTag – either for its intended purpose or as a tool for tracking down an ignorant victim – would be essentially nil.
Listing image by Stackmashing