Apple AirTag Hacked, Says Security Researcher Who Found Loopholes to Modify Firmware

 

German security researcher Thomas Roth who goes by the word "stacksmashing" on Twitter has managed to "break" the microcontroller AirTag's 

Apple AirTag, a Bluetooth tracker launched last month to allow people to retrieve their lost items, is said to have some security features that could allow hackers to change their firmware. A security researcher has identified gaps by hacking AirTag using reverse engineering. The researcher said on Twitter that he was able to change the NFC default link available with the tracker by re-opening its microcontroller. This appears to be the first successful "jailbreak" attempt on AirTag, which Apple claims is built on privacy and security in its context.

German security researcher Thomas Roth, who goes by the word "stacksmashing" on social media, wrote on Twitter on Sunday that he had successfully hacked Apple AirTag by "hacking" his microcontroller. He said after gaining access to the microcontroller, he restarted AirTag and updated its firmware.

The changes made by the security researcher allowed him to use the AirTag function and customize the NFC link when in the Lost Path, as shown in the video posted on Twitter.

Usually, when AirTag is in Lost Mode, it shows a notification when scanned by an NFC-enabled smartphone, such as an iPhone or Android smartphone, with a link to the found.apple.com website (part of Find My network) to show information about the owner.

Hackers can use the spaces displayed on Twitter to identify those who find AirTag lost on malicious websites, instead of displaying user information. However, Roth said in his tweets that it took him hours to bring about a fix. He also claimed to have worn a few AirTags before gaining success.

Apple claims that privacy and security are AirTag's top priorities when it was officially announced last month. However, tweets posted by Roth suggest that the Cupertino company may need to submit an update to prevent firmware level changes.