By <https://9to5mac.com/author/apollozac/> Zac Hall
In the two weeks since <https://amzn.to/3uU80pm> AirTag has hit the market,
we've seen just as many stories describe ways security researchers have
hacked Apple's item tracker. So why is this? Did something go wrong when
Apple designed security features for AirTags, and should you be concerned?
Let's tackle those questions.
Worry or not?
Reading stories about AirTags being hacked doesn't immediately inspire
confidence, especially for a product that's meant to track items. Whether or
not you trust Apple to keep AirTags safe from nefarious parties is a
personal choice. In both security stories we've seen so far, it's important
to understand the details of what happened and how.
In the first scenario, a security researcher was able to
<https://9to5mac.com/2021/05/09/airtag-hacked-for-the-first-time-by-security
-researcher-video/> modify the NFC URL on a jailbroken AirTag. Let's break
down what this means.
How it works
Jailbreaking an AirTag means the professional security researcher was able
to find an exploit in the AirTag's firmware that allowed them to modify how
it works. AirTags that you purchase new in the box certainly won't come
"jailbroken," and we can expect Apple to patch known vulnerabilities, just
like it does on iPhone.
Modifying the NFC URL sounds awfully concerning for the uninitiated, but
it's very different from hacking an AirTag to track someone without their
permission.
NFC refers to near field communication, the method used by AirTag to
communicate with iPhones within a few centimeters apart. URL, or uniform
resource locator, has nothing to do with your actual location. URL refers to
the online location (Apple's server) of the message sent by AirTag when the
device is in Lost Mode.
The risk here is not that someone could jailbreak an AirTag and use it to
track your location without your permission. Rather, the risk is that a
jailbroken AirTag could be used in a phishing scheme to trick you into
sharing personal information with a nefarious party.
Using email is riskier
This hack is similar to how phishing schemes work on the web and through
email, but actually coming across a jailbroken AirTag with a custom URL in
the wild is highly unlikely. This would require someone jailbreaking an
AirTag, knowing how to modify the NFC URL, and leaving the AirTag in a
discoverable location as bait.
Hopefully, this specific exploit is patched with a future firmware update
for AirTag, but for now, using email and the web is a bigger risk for being
phished with a misleading URL than by finding a rotten AirTag in the wild.
You can also learn what to expect when you find an AirTag in Lost Mode
<https://9to5mac.com/2021/04/30/how-to-find-airtag-use-lost-mode-replace-bat
tery/> here.
AirTag spam
The second demonstration of how an AirTag can be exploited is even less
sinister, and neither scenario involves location tracking without
permission.
AirTag is designed to communicate encrypted GPS data with nearby iPhones
through Apple's Find My network. This is what allows iPhone users to locate
missing items with the help of other iPhone users.
What a security researcher has discovered is that the GPS data can be
replaced with other bits of data and broadcasted to nearby iPhones. While
there is something creepy about this, it's unclear how likely this method
could be for actually being a security risk.
Here's how my colleague Benjamin Mayo
<https://9to5mac.com/2021/05/12/find-my-network-arbitrary-data-messages/>
describes the exploit and its risk:
This latest research extends the protocol to transmitting arbitrary data
rather than simply mirroring location updates. [.]
In the demo, short text strings are sent back over the Find My network to a
home Mac. [.]
There isn't much chance of an unscrupulous fake AirTag draining someone's
data cap, as the size of the Find My messages is very small, measured in
kilobytes.
For now, this "hack" is essentially an example of breaking the functionality
of an AirTag and not exploiting it to do harm to others. The actual risk is
similar to receiving a text message or email from a wrong number or sender,
except you don't actually see the message.
AirTag and privacy
So did Apple miss something when designing security for AirTag item
trackers? Not exactly. Here's how Apple describes privacy with AirTag:
Only you can see where your AirTag is. Your location data and history are
never stored on the AirTag itself. Devices that relay the location of your
AirTag also stay anonymous, and that location data is encrypted every step
of the way. So not even Apple knows the location of your AirTag or the
identity of the device that helps find it.
The reality is that no software is perfect, and all computers have risks
associated with security exploits that are regularly discovered and
repaired. Apple and other platform makers are constantly securing operating
systems and software with patches to exploits as they're discovered. The
firmware that powers an AirTag is far less ambitious than the software that
powers your iPhone, however, so the possibility of exploits is far more
limited.
We'll update our coverage if either of these researcher-discovered "hacks"
proves to be bigger risks or if we learn that <https://amzn.to/3uU80pm>
AirTag firmware has made these obsolete. For now, rest assured that "AirTag
hacked" definitely doesn't mean someone else can track your location or your
items without your permission. Learn more about security from Apple
<https://manuals.info.apple.com/MANUALS/1000/MA1902/en_US/apple-platform-sec
urity-guide.pdf> here.
https://9to5mac.com/2021/05/12/should-you-be-worried-about-airtag-hacks-here
s-what-you-should-know/
===========================================================
The fb-exchange mailing list
Manage account,
List Page: https://www.freelists.org/list/fb-exchange
Subscribe: mailto:fb-exchange-request@xxxxxxxxxxxxx?Subject=subscribe
Unsubscribe: mailto:fb-exchange-request@xxxxxxxxxxxxx?Subject=unsubscribe
Archive: https://www.freelists.org/archive/fb-exchange
Administrative contact: insight@xxxxxxxxxxxxxxxxxxxx
===========================================================
