That didn’t take very long. A German researcher claims to have hacked Apple’s new item tracker, the AirTag.
The researcher, known on Twitter as @stacksmashing, shared a video (via 9to5Mac) of the hacked AirTag in action. In the video, we see that a normal AirTag points to Apple’s Find My website when NFC-scanned with an iPhone. The hacked AirTag, on the other hand, points to a completely different URL, which the hacker can set to be anything they want.
The researcher hasn’t shared a precise explanation of how they did it, but they did say that it took them “hours of trying,” which doesn’t sound very comforting for Apple.
While the hack apparently requires some disassembly and can only be performed with physical access to the device, it opens up some scary consequences. For example, a hacker could exchange someone’s AirTag with a modified one that leads to a URL that contains malicious code. Or they could strategically place rogue AirTags at a conference and wait for people to scan them.
I sent a few questions about the hack to Apple and will update this article when I hear back.
In the meantime, be aware that the humble AirTag can be abused in other ways, for example by stalkers, though Apple did take some measures to prevent this.