AirTag of the Clones: Shenanigans with Liberated Item Finders

AirTags are the first standalone devices that support Apple’s Find My network. Besides being a low-cost item finder, they provide an exciting research platform into Apple’s ecosystem security and privacy aspects. Each AirTag device contains a Nordic nRF52832 chip for Bluetooth Low Energy (BLE) and Near Field Communication (NFC) connectivity, as well as Apple’s U1 chip for Ultra-wideband (UWB) fine ranging. In this paper, we analyze the AirTag hardware and firmware in detail and present attacks that also affect the whole AirTag ecosystem. After performing a voltage glitching attack on the nRF chip, we extract and reverse engineer the main firmware. We add firmware functionality, change capabilities, and demonstrate cloning AirTags. Moreover, we analyze the protocol used between iPhones and AirTags, unlocking undocumented commands. These commands enable limited firmware instrumentation over-the-air on unmodified AirTag hardware, including playing sound sequences and downgrading the nRF and U1 firmware.