AirTags can be hacked, but don’t worry about yours
Thank you very much for allowing these tiny, buttonless, display-less devices to be weaponized against your privacy and security. But, at least for the time being, you shouldn’t be concerned about your AirTags. Hackers can add their own malicious code to an AirTag, allowing them to change the website that appears in Lost Mode, with the goal of stealing the information of someone attempting to return the lost tracker, as we recently learned.
It’s a shame, because Lost Mode is supposed to be the whole point of AirTags. You can put an AirTag or a device with an attached AirTag in Lost Mode if you lose it. If someone finds your missing AirTag, they can scan it with their iPhone or Android device to get your contact information and a link to https://found.apple.com to help you recover it.
When hackers get involved, however, the entire process is disrupted. They can choose to send the good samaritan to a malicious website, perhaps one posing as an official Apple login site, instead of showing you relevant, limited information that will help you return your AirTag. If the person who discovered the AirTag is unfamiliar with the process, they may believe they must sign in with their Apple credentials, giving these hackers access to their personal information. That’s obviously not a good thing.
Bobby Rauch, a security consultant, was the one who discovered the problem. He quietly sent it to Apple, giving them a 90-day window to fix the issue before making it public. Those 90 days have passed, and now we are all aware of the AirTags vulnerability.
Apple says that a fix for this security flaw is on the way, but offered no timeline for it as of this writing. We’ll keep an eye out for any firmware updates that come down the line.
How can you keep yourself safe from AirTag hacking?
If you come across a lost AirTag, you don’t have to avoid it like the plague; all you have to do is know what to look for. Remember that in Lost Mode, a legitimate AirTag will include contact information as well as a link to https://found.apple.com. It will never require you to log in or provide any personal information. Drop and run if you see these types of requests on a lost AirTag.