It’s Already Possible To Hack An AirTag To Display A Custom URL When Lost
Apple’s AirTag item tracker has been on sale for a little more than a week but that was all that was needed for one researcher to figure out how to hack it. German security researcher Stack Smashing was able to take an AirTag, hack it, and then have it present a custom URL when found in Lost Mode.
Lost Mode is designed to help relocate lost AirTag with their owners by giving finders a URL to visit. But once hacked, the security researcher found that they could then overwrite the URL Apple configured – setting their own in its place.
The hack was first spotted by The 8-bit and they say that the whole process was a case reflashing the AirTag’s microcontroller.
German security researcher and YouTube content creator that goes by the name Stack Smashing tweeted today that they were successful in “breaking into the microcontroller of the AirTag.” They were then able to re-flash the microcontroller that enabled them to modify elements of AirTag’s software.
You can check out the result in the tweets below. Note that the cables you see are only providing power – no cables are needed once the AirTag has been hacked.
Built a quick demo: AirTag with modified NFC URL 😎
It isn’t clear whether this can ultimately be a security risk for Apple because there is a chance the URL presented by the AirTag could be nefarious. We also don’t yet know whether Apple can plug this particular security hole now that AirTag are out in the wild.