Apple AirTag Can Be Hacked, But It's Not as Bad as It Sounds (slashgear.com) 29
Slashgear reports that a security researcher was able to reprogram one of Apple's new AirTags, "but the process and the end result might not yet be worth the worry."
Like any electronic device, especially "smart" ones, the Apple AirTag has a microcontroller that orchestrates its activities... In a nutshell, Stack Smashing "hacked" the AirTag microcontroller to modify its firmware and make it do something other than what it is designed to. That, at least for now, meant linking to a different URL when an NFC-enabled phone "taps" the tracker. Normally, it would link to found.apple.com in order to initiate the Lost Mode process.
This hack could be used to make phones go to some nefarious website but getting to that point might not exactly be straightforward. The security researcher hasn't disclosed yet the process but he admits bricking at least two AirTags to get there. Unless the tracker's firmware can be modified remotely over the air, the only way you'll get a hacked AirTag would be if you acquired it through other parties.
This AirTag hack might actually be less worrying than the debug menu that Apple may have accidentally left enabled before shipping the trackers. Fortunately, that might be something that is easily fixed with a firmware update...
This hack could be used to make phones go to some nefarious website but getting to that point might not exactly be straightforward. The security researcher hasn't disclosed yet the process but he admits bricking at least two AirTags to get there. Unless the tracker's firmware can be modified remotely over the air, the only way you'll get a hacked AirTag would be if you acquired it through other parties.
This AirTag hack might actually be less worrying than the debug menu that Apple may have accidentally left enabled before shipping the trackers. Fortunately, that might be something that is easily fixed with a firmware update...
Re:How do AirTags get firmware updates? (Score:4, Interesting)
An attacker could just remove the internals of the AirTag and replace the entire PCB with their own.
It's similar to leaving a USB stick with malware where people will find it and insert it into their computers without thinking. People just need to learn not scan random NFC tags, random QR codes, or at least to not open URLs that present themselves.
Part of the problem with NFC is that it's a bit like USB, when you scan the tag there is a handshake and a descriptor is downloaded that tells the device what to do with it. The device then decides to open a URL or an app designed to handle that kind of device (e.g. a payment card or Bluetooth device). So just like USB there is scope for mischief if the NFC stack doesn't carefully handle that data or if the app it opens up is vulnerable.
Re: How do AirTags get firmware updates? (Score:2)
Well, normally you see what the URL is, before it is opened. Unless of course the iNutters consider that "too complicated" for their wittle tardigrades too.
Or, if we go the way of certain other nutters, the URL syntax will become fully turing complete and be a virus in itself.
Okay, given the existence of data URLs and certain file formats, that might already be the case. BTW: How close to turing complete is Unicode?
Re: (Score:2)
URLs are presented on Android, although of course many people can't tell legit ones from phishing ones.
Things that are handled by apps just open the app though. I have one for my travel card, just tap it to the phone and it displays the balance and recent transactions. Same with bank cards in Google Pay/Apple Pay.
Re: (Score:2)
An URL is only shown if there is no App to handle it.
Or if you can "mouse over" it. Simplest example is an mailto-URL.
Re: (Score:3)
An attacker could just remove the internals of the AirTag and replace the entire PCB with their own.
It's similar to leaving a USB stick with malware where people will find it and insert it into their computers without thinking. People just need to learn not scan random NFC tags, random QR codes, or at least to not open URLs that present themselves.
I avoid shortened links, totally. I can't believe how many legitimate businesses use them when not needed. If it's a clickable link, who cares if it's 15 characters or 35?
Re: How do AirTags get firmware updates? (Score:2)
15 characters is harder to screw up with line breaks, copy/pasting between documents. re-typing on a second device when you can't easily share, etc.
Just because you don't like them doesn't mean they aren't useful.
Re: (Score:2)
An attacker could just remove the internals of the AirTag and replace the entire PCB with their own.
Which does sound easier that what is described in the "hack".
People just need to learn not scan random NFC tags, random QR codes, or at least to not open URLs that present themselves.
You're 100 percent correct. The problem is that as we make computers/phones easier to get on the internet with, it allows people with less knowledge and lesser thought processes (I'm trying to be nice here) to get onto the internet. And damn - they surely don't practice computing hygiene!
I don't scan QR codes unless forced to, like a Covid tracking system at work has. But it's hilarious that we get news about the guy who bricks AirTags while
Re: (Score:2)
But of course. (Score:2)
But It's Not as Bad as It Sounds
I'd question this but it was copy/pasted by a /. editor, so I'm sure it's legit.
Re: (Score:2)
But It's Not as Bad as It Sounds
Yes, that is correct.
It's worse.
In other words: (Score:2)
It's so useless that even if you hack it, it can't do anything worth doing. :)
I think they finally crossed the boundary I always predicted. They actually are a jewelry company now. ... If those $0.50 rubber bracelets that "channel energies from the universe into you" are considered jewelry. ;)
Prepare for iPhones that are completely featureless slabs of glass. Literally. "So easy to use!" ;)
No thanks! (Score:2)
Does NFC protocol allow an AirTag-like thing to identify the iPhone owner? I really hope not, but if the tag can send you to a malicious website that can read you FB cookies I am thinking of some scary scenarios. I don't want mysterious packages to know when it has reached me. Then again I keep NFC turned off.. as far as I know.. until the next OS update.... hmm I'd rather Apple not have skin in this game.
Re: (Score:3)
Does NFC protocol allow an AirTag-like thing to identify the iPhone owner? I really hope not, but if the tag can send you to a malicious website that can read you FB cookies I am thinking of some scary scenarios. I don't want mysterious packages to know when it has reached me. Then again I keep NFC turned off.. as far as I know.. until the next OS update.... hmm I'd rather Apple not have skin in this game.
In other news, a malicious actor can obtain root access by standing behind you and watching you log in with their phone recording the video. Then back at Hacker HQ, they can easily see what keys were pressed. Apple has known about this easy exploit for years, and has done nothing about it. /s
I find that the reportage of these sort of "hacks" are just about pointless. I guess it makes the researchers feel relevant. In a world where most of the IOT crap has no security at all, yet people install that stu
I'm sure (Score:3)
At least one of those cop investigative / procedural shows will feature a hand-waving version of this "exploit" during an episode later this year.
Do I have to buy an iPhone to ensure security? (Score:1)
Re: (Score:2)
Apple did think of this concern, at least partly.
If you do happen to own an iPhone, apple will tell you if an AirTag not on your account appears to be moving with you all the time:
https://support.apple.com/en-u... [apple.com]
"AirTag Found Moving With You" message.
It may be valid to ask for a similar app to run on Android.
Re: (Score:2)
Apple did think of this concern, at least partly.
If you do happen to own an iPhone, apple will tell you if an AirTag not on your account appears to be moving with you all the time:
https://support.apple.com/en-u... [apple.com]
"AirTag Found Moving With You" message.
It may be valid to ask for a similar app to run on Android.
Because I'm concerned about privacy, I don't want to use an iPhone or a "normal" Android phone (with Google Play Services). And worse, I'm one of those insane crazy people who only turns the GPS on when it's actually needed, so it may not even work if I did use an iPhone, because it might not know that I'm "moving".
I don't want to have to upload my location to a trillion dollar company all the time to ensure that their other surveillance systems are not tracking me.
There does not appear to be a way t
Re: (Score:2)
It knows that there's a BLE beacon staying in range of your phone. It doesn't need GPS for that.
That being said, cell phones always know where you are, and report it to the telco, because that's how they can route your phone calls to your cell phone - they need to know what cell you are in as you move around so that you can get calls. So if you thought that turning GPS off concealed the location of your cell phone from your telco, you were wrong. GPS, on the other hand, doesn't report your position to anyon
Re: (Score:2)
It knows that there's a BLE beacon staying in range of your phone. It doesn't need GPS for that.
That being said, cell phones always know where you are, and report it to the telco, because that's how they can route your phone calls to your cell phone - they need to know what cell you are in as you move around so that you can get calls. So if you thought that turning GPS off concealed the location of your cell phone from your telco, you were wrong. GPS, on the other hand, doesn't report your position to anyone - it just tells your phone where you are, so that's less of an invasion of your privacy than the phone being on.
I have no belief that telco doesn't know roughly where the phone is when the radio is on, that's plenty obvious.
Despite the severe violations of the four (three) major US carriers in recent years (for which they are being sued presently), they do have at least some duty to their customers based on contract and/or law.
It's a question of who gets the data though. Apps that have background location permission can't get your position when the location services are disabled. I consider these to be the gr
Re: (Score:2)
If an AirTag is in BLE range of your phone for an extended period, and it's not your AirTag, they warn you that there's a tag following you around. That's not dependent on where you actually are, just that it's in BLE range. So I wouldn't expect that it would depend on GPS, just BLE. Though I'm sure that they'd capture GPS if it's available, so that they can report where the tag is if someone's lost it.
Re: Do I have to buy an iPhone to ensure security? (Score:3)
If someone wanted to track you like this then there are cheaper and more concealable alternatives already. Yet no-one has been screaming about those⦠perhaps because it's not a realistic concern outside of espionage thrillers.
It's easier to do targeted tracking of you without your consent using your existing cellphone.
Re: (Score:2)
If someone wanted to track you like this then there are cheaper and more concealable alternatives already. Yet no-one has been screaming about those⦠perhaps because it's not a realistic concern outside of espionage thrillers.
It's easier to do targeted tracking of you without your consent using your existing cellphone.
Any other tracking system is going to need a cellular modem and GPS and a large battery to operate. You can forego the modem if you're willing to install and then collect the device later. AirTags just need a small battery, the real work is offloaded to a billion iPhones. AirTags also offer criminals plausible deniability. "Oops, yeah, I accidentally left a key in that Uber driver's car." You can't say that if you stuck a cell-enabled GPS tracker to her car. These things will enable *casual* stal
Re: (Score:2)
> It's trivial for you to track me if you can get an AirTag into my possession.
That's a really big if. And again, other products are cheaper and more effective for the only plausible scenarios (hiding on someone's car). Trying to single out Apple here is fearmongering.
Re: (Score:2)
> It's trivial for you to track me if you can get an AirTag into my possession.
That's a really big if. And again, other products are cheaper and more effective for the only plausible scenarios (hiding on someone's car). Trying to single out Apple here is fearmongering.
Apple has deployed a network with a billion sensors to detect the tags. There is no comparison. No one has done anything close to this level before.
And I by no means am suggesting that companies doing this to a lesser magnitude are "better".
Re: (Score:2)
> "No one has done anything close to this level before"
GPS + cellular. It's cheap and easy enough that it's already used daily for roadside bombs planted by terrorists/insurrectionists. Functioning cellphones with SIMs can be picked up for a few dollars.
Re: (Score:3)
Re: (Score:2)
Tile does less to protect privacy - if a tile gets near someone running the tile app, it logs it centrally. The only "advantage" of using Tile is that since fewer people are running the Tile app at a given time, it's less likely to get found. Not so good if you want your lost thing, but I guess it's good if your goal is to not have the tile be found.