A researcher has disclosed a jailbreak hole in Apple's AirTag location trackers.
Apple just last month launched AirTag, which are small mobile tracking devices that can be attached to personal items, as well as IT assets. But a German hardware hacker who goes by the moniker "Stacksmashing" posted a video detailing how he was able to dump and modify the AirTag firmware, opening the door for others to customize and change the operation of the device.
In the YouTube video demonstrating the procedure, Stacksmashing explained that he was able to create a security hole in the AirTag's microcontroller through a process called voltage-based fault injection, or glitching. The flaw provided a way to circumvent the copy protection measures Apple had embedded into the AirTag hardware, specifically blocks on debugging mode that prevent users from dumping and altering firmware settings.
Using a Raspberry Pi Pico as a signal controller (the fault injection process requires microsecond-level precision far beyond manual switches), the hacker was able to modify the electrical voltage being sent to the microcontroller's CPU in such a way as to tell the processor that debugging mode -- disabled by default in the AirTag -- should be turned on.
This process required precise manipulation of both the hardware and the voltage. The hacker noted that he broke a number of AirTag units before he was able to fully pull off the glitching process, and the exploit itself "jumps around a lot" and can take some time to successfully execute.
Once debugging was enabled, Stacksmashing was able to download or dump the firmware, and then modify it. This dumped firmware could then be altered by the hacker and used to re-flash onto other AirTags. Stacksmashing said, re-flashing is a far easier process than bumping the firmware and does not require the same complicated and unreliable glitching process.
Fortunately, Stacksmashing opted not to do anything particularly nefarious or dangerous with his proof-of-concept demonstration. The hacker chose instead to make a simple modification to the URL that loads when a phone scans the tag via Near Field Communication -- in this case the user is Rickrolled. However, if a hypothetical bad actor opted instead to redirect to something like a fake login page, this flaw could lead to some real-world security headaches.
The hacker told SearchSecurity that, at least in the short term, there is not much risk of this attack technique becoming widely available or easy to automate because the process of voltage-based fault injection is difficult to execute. It could, however, be the first step toward automated attacks on the hardware and more nefarious exploits against Apple users.
"This hack requires a bit of hardware experience and is not something super easy to do or for end users," he said.
"But it opens the door to allow analysis for finding other vulnerabilities that might be usable, for example, via Bluetooth or so."
Privacy concerns remain
Even before the jailbreak was disclosed, security and privacy advocates were raising concerns about potential misuse of AirTags.
Eva Galperin, global policy analyst at the Electronic Frontier Foundation, said that Apple's decision to limit AirTag support to the iPhone is of particular concern. Because someone with an Android phone would not have the ability to spot or control an AirTag easily, it could become the perfect tool for a stalker or abusive partner to quietly track an unwitting person.
"Apple's mitigation, a 60 db beep that goes off if the AirTag has not been within range of its paired phone in three days, is laughably flimsy. To begin with, it is extremely easy to muffle or eliminate the sound of an AirTag by leaving it between the cushions of a car, wrapping it in tape or removing the speaker," Galperin explained in an email.
"Secondly, this mitigation is absolutely useless if the person being tracked is hard of hearing. AirTags pose a danger to the disabled and to people outside of the Apple ecosystem and I think that Apple needs to take a hard look at the process that led to shipping a product like this."