This Hacker Just Figured Out How to Reprogram an AirTag

Like most small technological marvels of its kind, Apple’s new AirTag uses an embedded firmware that’s not designed to be customized or tinkered with. It’s not nearly as sophisticated as full-fledged operating systems like iOS or watchOS, but its closed nature and lack of utility hasn’t deterred security researchers from having a go at the AirTag to see exactly what they can do with it by hacking into it.

According to The 8-Bit, a German security researcher has managed to succeed in “jailbreaking” an AirTag by reverse-engineering the code in the microcontroller and then re-flashing it with their own customized version, modifying certain aspects of how the AirTag works.

The researcher, who goes by the pseudonym Stack Smashing, tweeted out news of their accomplishment, adding that the whole experience did take several hours — and two bricked AirTags — to pull off.

Once they got in, however, they were able to dump the firmware and some of the other elements from the microcontroller, and then modify the code and re-flash it back onto the AirTag.

As a simple proof of concept, the researcher changed the URL that is automatically transmitted by the AirTag’s NFC chip, so that instead of pointing to “found.apple.com” it opened to their own website instead.

What This Means

Once Stack Smashing figured out how to extract and re-flash the AirTag firmware, this particular modification would have been relatively simple — theoretically just a matter of finding and replacing the relevant text string — but it does raise the question of what other changes hackers could potentially make to how an AirTag works.

For example, even though Apple has added some of the best privacy protections in the industry, they’re still not enough to prevent AirTags from being used for stalking even as-is. However, if a hacker could disable these anti-stalking protections entirely — for example, prevent an unknown AirTag from advertising its presence in such a way as to trigger an alert on a user’s iPhone — it could present an even more dangerous scenario.

To be clear, unlike the three-day audible alert — which can already be circumvented much more easily by removing the speaker coil anyway — the anti-stalking notifications that appear on a user’s iPhone come from iOS, and not the AirTag. It’s the user’s iPhone that recognizes an unknown AirTag travelling with them, and then decides to alert the user to its presence.

Since this is presumably done using the same ID that the AirTag transmits to announce its presence, so another iPhone can report its location, it seems unlikely that a hacker would be able to override this alert from the AirTag side. Simply disabling the AirTag’s Bluetooth ID would prevent it from being found at all, defeating the purpose of trying to use it as a stalking device, and as long as the AirTag is transmitting its ID, a nearby iPhone is going to notice it and pop up an alert if it determines there’s something suspicious about it.

It’s also worth keeping in mind that this is far from a straightforward process like jailbreaking an iPhone. Since an AirTag has no user-accessible ports, or really any way to upload firmware to it, most average users would not be able to “flash” their AirTag even if hacker-modified firmware packages were made readily available to download. As Stack Smashing notes, this requires figuring out exact “test point mapping” to know where to attach physical wires to the AirTag, in addition to some other advanced hardware to actually read and write to and from the microcontroller.

That said, it doesn’t rule out the possibility that an ambitious hacker might figure how to make an underground business out of selling AirTags that have been modified for some specific purpose, although until researchers actually discover more of what they can actually do with a modified AirTag, it’s unclear if there would be any point to this.

It’s also possible that Apple has safeguards in place to block modified AirTags from reporting into the Find My network, which would help to prevent any security and privacy risks that might result from AirTag modifications. However, even simply customizing the URL transmitted over NFC may have some small risks — modified AirTags could be scattered about for people to “find” and then in turn lead them to phishing or malware sites.

Still, at this point the complexity of the process for modifying and refreshing an AirTag’s firmware is such that we don’t think there’s much to be concerned about. It’s an interesting curiosity, but an AirTag is actually a pretty basic device, and much of what it does relies far more on the iPhones and iPads that make up Apple’s Find My network. There are likely very few things that could be changed in an AirTag’s firmware to pose any real security risks.