DEF CON 29 - Thomas Roth - Hacking the Apple AirTags
Вставка
- Опубліковано 5 жов 2024
- Apple’s AirTags enable tracking of personal belongings. They are the most recent and cheapest device interacting with the Apple ecosystem. In contrast to other tracking devices, they feature Ultrawide-band precise positioning and leverage almost every other Apple device within the Find My localization network.
Less than 10 days after the AirTag release, we bypassed firmware protections by glitching the nRF52 microcontroller. This opens the AirTags for firmware analysis and modification. In this talk, we will explain the initial nRF52 bypass as well as various hacks built on top of this. In particular, AirTags can now act as phishing device by providing malicious links via the NFC interface, be cloned and appear at a completely different location, used without privacy protections that should alert users as tracking protection, act as low-quality microphone by reutilizing the accelerometer, and send arbitrary data via the Find My network. Besides these malicious use cases, AirTags are now a research platform that even allows access to the new Ultrawide-band chip U1.
REFERENCES:
LimitedResults nRF52 APPROTECT Bypass:
limitedresults...
Positive Security’s Send My Research for sending arbitrary data via the find my network:
positive.secur...
Colin O’Flynn’s notes on the AirTag Hardware:
github.com/col...
Windows accesability > mono audio = true
to fully enjoy
for linux users, read docs kekw
Listening on a 7.1 surround system is an 'interesting' experience. I have a geman man in the back of my lower neck.
This is DEFcon and I am surprised this kind of shit still happens at a pinnacle tech conference. Seriously - sprinting a mile just to trip in front of the finish line 🤦🏻♂️🤦🏻♂️🤦🏻♂️🤦🏻♂️ While making fun of tech companies not having the skills to deliver their products properly. 😖
DEF CON ELITE AUDIO HACK!
@@EvileDik You may need to see a doctor about that…
:( Why audio only 1 channel
You can make the video play audio as mono, just paste this in to the browsers console:
let context = new AudioContext();
let source = context.createMediaElementSource(document.querySelector('video'));
let splitter = context.createChannelSplitter();
let merger = context.createChannelMerger();
source.connect(splitter);
splitter.connect(merger, 0, 0);
splitter.connect(merger, 0, 1);
merger.connect(context.destination);
Thank you. This works ♥
Works perfectly on Firefox. Thanks!
thank you !
legend, works in brave
genius, works on Arc browser
Awesome video. Lots of great info. Really cool how you tried to get sound from the accelerometer too!
someone hacked the audio..
Makes me sad for Tile. Thanks for this
Ya, the 16 unit limit is annoying.
just buy another iPhone for 32items lol, sounds like a poor people problem
Could just rewire the tag so that the speaker is directly connected to an analog pin...
Reassembly of the airtags is not straightforward if I recall correctly.
@@HonestAuntyElle Well, even with hot glue all over it it's still pretty small form-factor and would leverage the Apple spy network.
Actually the "antenna" connector is not an antenna connector. It's a test point for calibrating RF performance. It's not supposed to be used as a connector and there doesn't exist any mating locking connector for it.
Such connectors are also seen on smartphones and usually have plastic cutouts which leads me to believe that they actually are antennas
So cool! I look forward to see how much we can get out of the AirTag in the future
This talk was going to be much greater if it wasn't for COVID.
Yo i loved the video and the talk is also good
What does the black rectangle boxes that have J107S do? I broke one off trying to open the AirTag but the AirTag still connects to my phone…so far.
So the way to make tracking possible without causing alerts is probably to change the identity of the tag periodically and register all of those identities separately
That, or it relies on the history of the tag to match the phone >x% of the time, so you just spoof the location to a known fake location 1-x times
@@HonestAuntyElle Right! Or make an ID-exact copy of the tag / use software on your own phone to report the tag's location to another place every now and then.
Maybe a combination. If a single device is used for location a number of times, stop using it (until tag ID has been changed). If no new devices are reachable, change ID to next in the roll and reset blacklist. While an ID is not in use, obfuscate its location history by using your own/VM device(s) to report other coordinates. The tag side code wouldn't take much space if it's just a conditional statement for ID and, say, five IDs.
Kill the speaker?
@@kitecattestecke2303 Why bother? Well, a well-place stab with a screwdriver would suffice.
@@kitecattestecke2303 it shows prompt on phone so the person is aware he is being tracked
Nice work 👍
I am a computer science student from Germany and I have some very exciting ideas about what to do with a hacked airtag. Unfortunately I am not familiar with electrical engineering 😥.
Is there a step by step guide for dummies which I can follow and where there are all the hardware and software requirements listed and how to use them? I am willing to learn some electrical engineering on the way when necessary but I don't think I am able to figure all the steps out by myself.
no but you are from germany so you can surely meet some people who know
@@thewhitefalcon8539 Yes but they are to buisy creating our green energy future and have no time for my little hobby engeneering projects.
Recorded on the infamous pringles can
It's interesting how you don't even have to rip out the speaker assembly to silence the warning chirp. Just flashing a modified firmware that regularly increments the device ID is enough to make the Find My network think its a different device every time.
You are very smart!.. ofcourse you are from germany
Please!! Enough before we start... Just get on with it for crying out loud!!
The beauty of UA-cam is that you can scrub the video to whatever timestamp you want!
@@basspuppy133 I admit that ads and blatant sellouts really burst my bubble. While I do attempt to understand that a person would have a desire to make as much $ as possible some people just go overboard. When someone puts their reputation on the line and at the same time manipulate or exploits their viewers, well, that doesn't sit well with me. I've been disappointed by some of my favorite video 'producers' by this $-grab syndrome, especially when they obviously know very little or nothing of the product and throw all to the wind and hope for the best. Personally I would never allow myself to do anything that would be disrespectful to my audience or anything that 'could be'. I understand how people will want to stand up for their favorite video producers as well and that's fine too. I'm not trying to be disrespectful or anything only express that it disappoints and frustrates, me. Maybe I have thin skin or high expectations, probably both but my advice to 'contributors' is to respect your viewership, quality not quantity and have some dignity. It does and will matter and I have the thought that some may agree.
Hackers that can't set there mic,..
hackers that can't spell their
Hackers that can't fix the sound themselves and keep whinning for nothing ...
We need to tell stalkers using this that they are no good for stalking 🙃