Jailbreaking Apple devices – especially iPhones – has been a challenge that hacking aficionados and code tinkerers have been playing with for a while now. So, it was only natural that Apple’s entry into the segment of object trackers with the AirTags will gather some enthusiastic response. Interestingly, it only took a few weeks for one such enthusiast to ‘hack’ into the AirTags, albeit to a very small extent.
An IT security researcher, who goes by the username stacksmashing on Twitter (and also has a YouTube channel with the same name) managed to get control over the AirTag’s microcontroller and modified the underlying software that works when Lost Mode is activated. The hacker then managed to replace the default URL that Apple baked into the AirTag software with his own personal website, and even showcased it all in a short video.
Built a quick demo: AirTag with modified NFC URL ?
(Cables only used for power) pic.twitter.com/DrMIK49Tu0
— stacksmashing (@ghidraninja) May 8, 2021
When an AirTag is placed in lost mode and you tap your NFC capable phone against it, it opens a notification that takes users to the found.apple.com URL. Just in case you’re wondering, an NFC-ready Android phone can kickstart the response when a lost AirTag is detected. However, after tinkering with software and reprogramming the microcontroller, the hacker substituted it with a custom URL that led to his own website. The hacker further mentions that the microcontroller can be flashed again.
The feat is impressive, but it also offers a glimpse into the scary side of jailbreaking where AirTag can be gamed for stalking
This is the first instance of an AirTag being hacked to modify its behavior. While the feat is impressive in itself – and will likely raise some alarms at Apple – it is also a sign that a lot more can be done by the jailbreaking community in the months to go. However, there is also a worrying side to it all. What if someone manages to bypass the anti-stalking measures Apple has put in place, and use the AirTags for secretly tracking someone. In a recent investigation by TheWashingtonPost journalist Jeffrey Fowler, it was discovered that there are several shortcomings in the anti-stalking toolkit of AirTags and that they can be misused with relative ease.