In the two weeks since AirTag has hit the market, we’ve seen just as many stories describe ways security researchers have hacked Apple’s item tracker. So why is this? Did something go wrong when Apple designed security features for AirTags, and should you be concerned? Let’s tackle those questions.
Worry or not?
Reading stories about AirTags being hacked doesn’t immediately inspire confidence, especially for a product that’s meant to track items. Whether or not you trust Apple to keep AirTags safe from nefarious parties is a personal choice. In both security stories we’ve seen so far, it’s important to understand the details of what happened and how.
In the first scenario, a security researcher was able to modify the NFC URL on a jailbroken AirTag. Let’s break down what this means.
How it works
Jailbreaking an AirTag means the professional security researcher was able to find an exploit in the AirTag’s firmware that allowed them to modify how it works. AirTags that you purchase new in the box certainly won’t come “jailbroken,” and we can expect Apple to patch known vulnerabilities, just like it does on iPhone.
Modifying the NFC URL sounds awfully concerning for the uninitiated, but it’s very different from hacking an AirTag to track someone without their permission.
NFC refers to near field communication, the method used by AirTag to communicate with iPhone and Android phones within a few centimeters apart. URL, or uniform resource locator, has nothing to do with your actual location. URL refers to the online location (Apple’s server) of the message sent by AirTag when the device is in Lost Mode.
The risk here is not that someone could jailbreak an AirTag and use it to track your location without your permission. Rather, the risk is that a jailbroken AirTag could be used in a phishing scheme to trick you into sharing personal information with a nefarious party.
Using email is riskier
This hack is similar to how phishing schemes work on the web and through email, but actually coming across a jailbroken AirTag with a custom URL in the wild is highly unlikely. This would require someone jailbreaking an AirTag, knowing how to modify the NFC URL, and leaving the AirTag in a discoverable location as bait.
Hopefully, this specific exploit is patched with a future firmware update for AirTag, but for now, using email and the web is a bigger risk for being phished with a misleading URL than by finding a rotten AirTag in the wild. You can also learn what to expect when you find an AirTag in Lost Mode here.
The second demonstration of how an AirTag can be exploited is even less sinister, and neither scenario involves location tracking without permission.
AirTag is designed to communicate encrypted GPS data with nearby iPhones through Apple’s Find My network. This is what allows iPhone users to locate missing items with the help of other iPhone users.
What a security researcher has discovered is that the GPS data can be replaced with other bits of data and broadcasted to nearby iPhones. While there is something creepy about this, it’s unclear how likely this method could be for actually being a security risk.
Here’s how my colleague Benjamin Mayo describes the exploit and its risk:
This latest research extends the protocol to transmitting arbitrary data rather than simply mirroring location updates. […]
In the demo, short text strings are sent back over the Find My network to a home Mac. […]
There isn’t much chance of an unscrupulous fake AirTag draining someone’s data cap, as the size of the Find My messages is very small, measured in kilobytes.
For now, this “hack” is essentially an example of breaking the functionality of an AirTag and not exploiting it to do harm to others. The actual risk is similar to receiving a text message or email from a wrong number or sender, except you don’t actually see the message.
AirTag and privacy
So did Apple miss something when designing security for AirTag item trackers? Not exactly. Here’s how Apple describes privacy with AirTag:
Only you can see where your AirTag is. Your location data and history are never stored on the AirTag itself. Devices that relay the location of your AirTag also stay anonymous, and that location data is encrypted every step of the way. So not even Apple knows the location of your AirTag or the identity of the device that helps find it.
The reality is that no software is perfect, and all computers have risks associated with security exploits that are regularly discovered and repaired. Apple and other platform makers are constantly securing operating systems and software with patches to exploits as they’re discovered. The firmware that powers an AirTag is far less ambitious than the software that powers your iPhone, however, so the possibility of exploits is far more limited.
We’ll update our coverage if either of these researcher-discovered “hacks” proves to be bigger risks or if we learn that AirTag firmware has made these obsolete. For now, rest assured that “AirTag hacked” definitely doesn’t mean someone else can track your location or your items without your permission. Learn more about security from Apple here.
FTC: We use income earning auto affiliate links. More.