Hacking the Apple AirTags

The speaker used voltage-based fault injection to hack into an AirTag and modify its firmware, demonstrating the potential for research surrounding the E1 chip.

• The speaker had prior knowledge of the nRF52 microcontroller and voltage fault injection attacks.
• They used a Raspberry Pi Pico to interrupt the power supply to the CPU core of the AirTag.
• After a few minutes of glitching, they were able to connect to the chip and dump the firmware.
• They modified the firmware to change the URL sent when the AirTag is NFC scanned to a Rickroll link.
• The speaker believes that this demonstration shows the potential for research surrounding the E1 chip and the accelerometer of the AirTag as a makeshift microphone.

The speaker was able to successfully hack into an AirTag and modify its firmware to play a Rickroll link when NFC scanned. They were able to do this by interrupting the power supply to the CPU core of the AirTag using a Raspberry Pi Pico and voltage-based fault injection. This demonstration shows the potential for research surrounding the E1 chip and the accelerometer of the AirTag as a makeshift microphone.

Apple’s AirTags enable tracking of personal belongings. They are the most recent and cheapest device interacting with the Apple ecosystem. In contrast to other tracking devices, they feature Ultrawide-band precise positioning and leverage almost every other Apple device within the Find My localization network. Less than 10 days after the AirTag release, we bypassed firmware protections by glitching the nRF52 microcontroller. This opens the AirTags for firmware analysis and modification. In this talk, we will explain the initial nRF52 bypass as well as various hacks built on top of this. In particular, AirTags can now act as phishing device by providing malicious links via the NFC interface, be cloned and appear at a completely different location, used without privacy protections that should alert users as tracking protection, act as low-quality microphone by reutilizing the accelerometer, and send arbitrary data via the Find My network. Besides these malicious use cases, AirTags are now a research platform that even allows access to the new Ultrawide-band chip U1. REFERENCES: LimitedResults nRF52 APPROTECT Bypass: https://limitedresults.com/2020/06/nrf52-debug-resurrection-approtect-bypass/ Positive Security’s Send My Research for sending arbitrary data via the find my network: https://positive.security/blog/send-my Colin O’Flynn’s notes on the AirTag Hardware: https://github.com/colinoflynn/airtag-re