We select and review products independently. When you purchase through our links we may earn a commission. Learn more.

A New AirTags Hack Leads to a Malicious Site Instead of the Return to Owner Page

Apple AirTag Key Ring attached to car keys

Apple AirTags arrived with much fanfare (and some trepidation). We’ve already seen teardowns, drill hacks, and even hide-and-seek games. But now a security researcher proved it’s possible to hack an AirTag and change it to display custom sites when phones scan its NFC tag.

That bit might not seem like a big deal, but it’s important to remember how AirTags work when you don’t have an iPhone. If you happen upon an AirTag and you’re an Android user, you can tap it with NFC to open Apple’s return page. Hopefully, as a Good Samaritan, you’ll assist in returning the device.

But with a custom-loaded site, a bad actor could theoretically trick a well-meaning person into scanning a tag and opening a malicious site. That could lead to devastating results, especially if the phone in question isn’t fully up to date.

As spotted by The 8-Bit, security research “stacksmashing” posted the proof of concept on Twitter. He managed to break into the AirTag’s microcontroller, and reflash the device to change its NFC website information.

Now the current proof of concepts are hardly end of world demonstrations. AirTags are hard to get ahold of at the moment, and they’re not super cheap. It’s a lot of effort and money to spend, only to take the chance that someone wouldn’t just pocket the device, or use NFC tap to access the site. But it’s still worrying nonetheless, and might make you think twice about scanning that errant AirTag you found on the street. Which doesn’t help Apple’s promise to retrieve your missing AirTag in the long run.

via The 8-Bit

Josh Hendrickson Josh Hendrickson
Josh Hendrickson is the Editor in Chief of Review Geek and is responsible for the site's content direction. He has worked in IT for nearly a decade, including four years spent repairing and servicing computers for Microsoft. He’s also a smart home enthusiast who built his own smart mirror with just a frame, some electronics, a Raspberry Pi, and open-source code. Read Full Bio »