Apple AirTags arrived with much fanfare (and some trepidation). We’ve already seen teardowns, drill hacks, and even hide-and-seek games. But now a security researcher proved it’s possible to hack an AirTag and change it to display custom sites when phones scan its NFC tag.
That bit might not seem like a big deal, but it’s important to remember how AirTags work when you don’t have an iPhone. If you happen upon an AirTag and you’re an Android user, you can tap it with NFC to open Apple’s return page. Hopefully, as a Good Samaritan, you’ll assist in returning the device.
But with a custom-loaded site, a bad actor could theoretically trick a well-meaning person into scanning a tag and opening a malicious site. That could lead to devastating results, especially if the phone in question isn’t fully up to date.
As spotted by The 8-Bit, security research “stacksmashing” posted the proof of concept on Twitter. He managed to break into the AirTag’s microcontroller, and reflash the device to change its NFC website information.
Built a quick demo: AirTag with modified NFC URL 😎
(Cables only used for power) pic.twitter.com/DrMIK49Tu0
— stacksmashing (@ghidraninja) May 8, 2021
Now the current proof of concepts are hardly end of world demonstrations. AirTags are hard to get ahold of at the moment, and they’re not super cheap. It’s a lot of effort and money to spend, only to take the chance that someone wouldn’t just pocket the device, or use NFC tap to access the site. But it’s still worrying nonetheless, and might make you think twice about scanning that errant AirTag you found on the street. Which doesn’t help Apple’s promise to retrieve your missing AirTag in the long run.