A team of researchers in Germany have discovered a way to hack the hardware within Apple’s immensely popular item finder. Once done, they’ve learned it’s possible to clone or completely reprogram the AirTag in ways that simply shouldn’t be possible. What’s worse is that the tools need to do it cost less than $5.
Voltage Glitching to Force AirTag Into Debug Mode
In a paper recently released (PDF), the team of researchers outline how they were able to voltage glitch the debug port on the AirTag. This port is typically disabled. The debug port allows someone to upgrade or downgrade firmware, change settings, and reprogram the device.
Changing the power supply to the microcontroller for a very short time disables protections on the debug port. They’re able to switch the debug port on. That’s when the fun begins as they carry out a variety of tasks on the firmware that should be impossible.
They successfully cloned one AirTag’s firmware onto another one, 850 km (528 miles) away. Once the cloned AirTag powered up, Apple’s Find My network showed the tracking device in the new location.
The researchers also demonstrated how to reprogram an AirTag. They’re able to make it identify itself as an iPhone instead of a tracking device. That would effectively prevent any of the anti-stalking measures Apple has developed. Digging into the other hardware within the AirTag, the team was also able to install custom sounds to play from the speaker instead of those built in.
Furthermore, they succeeded in using the built-in accelerometer as a microphone. While the audio recorded was unrecognizable, the team suggests that other modes of operating the accelerometer could be more successful. That could lead to someone using an AirTag not just as a tracker, but as a bug, a hidden microphone for surveillance purposes.
The Setup Required to Clone or Reprogram an Apple AirTag
The scariest thing about all of this is the equipment required to pull it off. Granted, this procedure requires a high level of technical expertise, knowing how to program firmware and so forth, but it’s really inexpensive to do. The researchers say that even amidst the chip shortage throughout 2021 and 2022, they sourced everything they needed for less than 5 euros (US $5).
The team pulled off their shenanigans with a Raspberry Pi Pico, a level shifter to glitch the voltage, and a MOSFET, a type of transistor. Prices have gone up some, but it’s still a very low-cost hardware hack:
- Raspberry Pi Pico: as low as $9.50
- 3.3V to 5V level shifter: $5
- MOSFET: Less than $1 each
That brings the total bill of materials, minus supplies like wiring and solder, still under $20.
The team points out that since this is a hardware attack, Apple can’t just fix it with a firmware update. Furthermore, it requires physical access to the AirTag and can’t be done over-the-air.
Because of that requirement and the programming and electronics knowledge needed to pull the attack off, they say the risk for end-users is negligible compared to other means of repurposing or abusing AirTags. Still, the news could have an impact on just how well Apple can respond to growing criticism of the AirTag being abused and exploited to track people without their knowledge.