Talk Title:

Over the Air-Tag: shenanigans with the most over-engineered keyfinder

Abstract:

The AirTags are Apple’s newest and cheapest peripheral: But what on the outside looks like a regular keyfinder is, on the inside, a great example for modern IoT devices and modern hardware hacking.

It all starts with the challenge of getting the firmware: The nRF52 microcontroller in the AirTag is protected against read-out, but thanks to fault-injection - performed with a $4 Raspberry Pi Pico - we can re-enable the debugging interface and dump out the firmware.

After this we are “in”: We can dump, modify, experiment with the AirTag for “fun” and profit. But even with full control over the firmware, a lot of aspects remain unknown: With a combination of dynamic and static methods, we reverse-engineer the protocols between iOS and the AirTag as well as the between the AirTag microcontroller and its peripherals.

This covers everything: From making the AirTag play annoying beeps and bops through the private iOS API, directly via BLE or even modifying the sounds in the firmware.

The golden egg is obviously the over-the-air firmware update protocol: We will deep-dive into the firmware up- and downgrade processes, and show how Apple’s firmware verification works - and where it fails.

On the firmware side, we will give an introduction into reverse engineering bare-metal nRF firmware - using and abusing the fact that it’s based on Nordic’s SDK. We provide an overview of the general architecture of the operating system running on the nRF chip, going into detail on the handlers and parsers for the Bluetooth protocol and tracing them to the corresponding hardware peripherals.

Finally we will look at some fun experiments with the AirTag hardware, and give a lookout of what to expect to come out of security research of a keyfinder.

Speaker Bio:

Jiska Classen
Because of a bad experience with cables and an army of vacuum robots, Jiska decided to get into wireless security. This was generally a bad idea; as her teeth turned blue and the only way to keep things safe from her now is by attaching cables. Because Jiska is lazy, she will (ab)use whatever code is already there instead of writing her own, by hooking all the things with Frida. She also refuses to switch away from IDA.

Fabian Freyer
Fabian has a love-hate relationship with static firmware reverse engineering. Using the advanced method of excessive amounts of intense staring at hexdumps in Binary Ninja, he attempts to find every needle in the haystack and every command handler in the firmware, only to be disappointed it doesn’t give a flag to hand in to the scoreboard. It has helped him understand how significant parts of the AirTag’s Bluetooth protocols work.

stacksmashing
stacksmashing is not only a bricking specialist but also the inventor of EarTag - an AirTag based ear accessory. A side product during the process of inventing EarTags was glitching AirTags, which turned out to be super useful for further security research. His boss only approves purchases of software that has a dragon logo, which is why he is stuck with Ghidra.