55 comments

[ 2.7 ms ] story [ 113 ms ] thread
I'm surprised this isn't custom silicon? I thought the U1 chip was required and Apple made?
U1 is only the UWB wireless interface.
It likely still includes a small micro thats sufficient.

But you need something for the DAC/Speaker and Bluetooth LE, so that may have influenced adding another micro.

Seems like there's an nRF52.
Kinda surprising Apple uses such a common bit of hardware. What's next - the next MacBook battery controller Arduino controlled?
How long before AirTags are modified to hop between iCloud identities to subvert anti-tracking?

Also, shoutout to the dickhead who said no one would be able to RE them.

What security boundary is being violated here? DRM?
The microcontroller is supposed to provide read/write protection for the firmware, but is vulnerable to a voltage glitching attack.
There is another very obvious “security hole” with this device: I can use an air tag to tell if someone had an iPhone nearby.

Suppose you’re at a site where phones are prohibited. (Like certain comedians who prohibit phones.) If your AirTag is spotted, someone has a phone!

Any BLE scanner app will tell you how many iPhones are nearby, unless the user has disabled the bluetooth radio through the settings menu.
I remember reading about a year ago how thieves have been seen using BLE scanner apps walking through parking garages looking for computers and phones to steal. Even in "sleep state" many of them are discoverable through bluetooth.
Wait 3 seconds until someone takes their phone out, boom, now you know what phone they have
The AirTag is based on an nRF52 Bluetooth microcontroller which should have protection against firmware extraction. Last year an exploit was found to bypass this using a glitch in the power supply at the right time in the boot up process. Now hackers have applied this process to get the firmware from the AirTag. The microcontroller doesn't have a secure boot process so you can use JTAG to flash it with new firmware.

As for stalking, it was only ever going to be a matter of time before devices were small enough and power efficient enough to be tracked for prolonged periods of time. I think there is probably a market for an Android app which can detect if any Bluetooth devices appear to be following you.

>I think there is probably a market for an Android app which can detect if any Bluetooth devices appear to be following you.

how do you handle mac address changes?

It turns out that it is easy to detect that since the signal strength remains about the same, the new MAC appears just after the old one disappears and the contents of the Bluetooth advertisement remain broadly the same. However you do have to be continually scanning for this to work.
Should be trivial to thwart all three with slight changes in firmware.
You didn't need to do any firmware fuckery to stalk people. If you wanted to stalk someone with an iphone, just 'give' them a Samsung Galaxy tag, if you want to stalk someone with a Samsung phone, 'give' them an airtag.

Neither company bothered to make the anti stalking functionality of their products cross platform.

I think that's why the airtags make noise after being separated from their base for too long.

The problem is that you can't make a viable system to distinguish stalking from legitimate behavior. I have Tile trackers on various objects that I can't imagine ever taking all of them with me--inevitably that means some will be away from the system for the duration of such a trip. If one starts beeping in an empty house that simply means a dead battery, but what if someone else lived here?

On the flip side, you're going to end up "stalked" by the devices of anyone you take a long enough trip with.

Anti-stalking is theater.

With physical access to the inside of the device, a security researcher was able to change the URL of the NFC tag. That's literally all that happened here.
Extracting, modifying, and re-flashing the fireware for the first time would be worthy of discussion alone, but modifying it to do something useful is especially noteworthy.

As the extracted firmware is analyzed further interesting discoveries/capabilities could be found.

Is the simple passive NFC functionality even handled the same way as the much more complex AirTag functionality? With this NFC URL modification, does the regular AirTag functionality even still work?

I love seeing things hacked like this, but for all we know this same thing could have been accomplished by swapping out the guts of the device. (Note: I'm not saying the demo is a fraud, I know stacksmashing is legit) There aren't many details in the article, and the demo doesn't really show much.

So redirect them to a fake iCloud page. Now you can phish their iCloud account. Or wait for a nice iPhone 0 day. See if you can get them to install an App that has a $9.99 per week subscription, etc etc. Lots of attack vectors in a url. Especially one that seems like a legit airtag you happened to find. At $25 a pop cheap to sprinkle around airports.
There really is no need to hack the firmware to do that. You just have to replace the battery with a cheap passive nfc tag configured with your malicious URL.
In the 80s I had a keychain whistle finder. I.e. whistle twice and the device responds by beeping. It seems the AirTag is similar technology but 10x as expensive, with only little more real value. Am I missing something?
Is the keychain going to hear your whistle on the other side of town?
There is a network of people all using the Whistle Finder online and they work together to find items around the world on Discord.
This has to be the most internet thing to hear about today.
Will you be able to locate your AirTag in an area with no iDevices?
No, but the difference is huge. With the whistle, your range is what, 40m radius?

With this, it's every populated place. They won't work if you lost something on a back country hike, but 95% of the world (that you'd visit) will have other iDevice users pass by within a day.

My point was also about the technology not just about possible applications.

Also, I don't see how you'd lose something so important that you'd tag it. E.g. I'd tag my camera, but then I wouldn't lose it because it is precious to me.

But someone might steal your camera.
In which case they'd remove the AirTag and dump it in the trash. Most thieves are not stupid.
It seems you and I have had wildly different experiences with criminals.
> Am I missing something?

The part where this works globally and is not constraint by how loud you are able to whistle.

Or even being able to whistle
> Am I missing something?

Clearly.

I'm still having trouble understanding the purpose of these things. There are way too many unethical applications of this technology, and what kind of person loses things so often that they need to buy trackers?
I have ADHD-adjacent symptoms which include losing my keys quite often, which is why I bought some AirTags.
I have no use for them either. My guess is for people traveling? Or for possible expensive equipment that might get stolen?

Maybe someone that has a use case for these will chime in. Might be some in one of the other announcement threads I'd have to go look.

I misplace my keys, often. Even after placing a small dish near my front door and trying to form a habit around using it. I opted into a Tile as soon as they came to market. It works great, not only can I find my keys if I have my phone, but also visa versa (tile has a button that causes your phone to chime as long as it's in range).

I have a little 'tile dot' (smaller form factor) attached to my wireless headphones charging case. It's black and hard to see via 'scanning'.. I see other headphones now have this tech integrated into the device, that seems awesome.

It's also a very cheap way to do gps type things, this is going to be especially effective with air tags I suspect. The tile trackers are essentially bluetooth beacons and all tiles can be detected by any phone that has the tile app on it (i assume, I'm only familiar with the apple side of this particular equation). I expect that number is growing but fairly low. However every moderish iphone will be detecting airtags, that's going to give you a ton of coverage.

This opens up some other things like 'find my car's airtag in this huge parking lot'

(comment deleted)
The (completely legitimate) anti-tracking measures built into AirTags means that they're not really viable for tracking things that have been stolen. Recent iOS devices will alert you fairly rapidly if you've got an AirTag that isn't registered nearby when the owner of that AirTag also isn't nearby. That means that if someone steals your wallet with an AirTag in it they're going to get alerted to the fact it's trackable within 30 minutes or so, and given instructions on how to disable the tag. Scanning the tag with any NFC capable device will also allow disabling it - I could definitely see professional pickpockets waving a phone over any wallets they take to kill tracking as soon as they can.
> what kind of person loses things so often that they need to buy trackers?

Ever hear of ADHD?

When I was younger I used to lose my wallet multiple times a week. These days it still happens every month or so. Trackers give me peace of mind.

That sounds like a problem that could be solved with a lanyard.
Not looking for advice, thanks :)
I sometimes have trouble finding my kindle around the house but I'd be happy with a device that beeps in response to a bluetooth signal.
My use cases:

-I have children, who have been known to wander off with my keys

-When I am stressed out I get forgetful, especially about where I put my AirPods

-I travel a lot and like knowing I have my AirPods/Keys with me at a glance, instead of digging into my luggage

I pre-ordered two as soon as pre-orders were available: one for my wallet, one for my keys. It’s some undescribed law of physics that anytime I’m running late I can’t find either.
My ex-wife would lose her keys approximately every time she wanted to leave the house. I wish I was exaggerating, but it was like a ritual, she'd decide to go out, and then spend ten minutes stomping round the place looking for them. Unfortunately she'd also do the same thing with her phone, so I'm not sure AirTags are the solution.
I left my backpack at my office the other day. To confirm, I opened the "Find my" app and was happy to see that it was showing as " last seen 9 minutes ago". It's also interesting how my Macbook air also was able to check in over bluetooth 45 feet away from the street (Wifi router was off).