Here’s where the hack comes in. The German researcher changed the URL on the notification. Instead of telling the person who discovered the lost AirTag about the found.apple.com site, the notification promoted the researcher’s web site and included his URL.
A German researcher by the name of stacksmashing disseminated a tweet about his success hacking the Apple AirTag item tracker. He reversed-engineered the microcontroller on the device (although he bricked two AppleTag units while attempting to do this) and re-flashed the microcontroller allowing him to make some changes to the AirTag’s functionality. The change made had to do with the URL that appears on a notification when an AirTag in Lost Mode is tapped by an NFC-enabled smartphone (iOS or Android).
When an AirTag is placed in Lost Mode, it sends out signals that can be picked up by the close to 1 billion active Apple devices world wide. When an AirTag is discovered by this “Find My” network,” placing the AirTag close to an iPhone or an NFC-enabled Android device will open a notification redirecting the person finding the lost tag to a website (found.apple.com). Hopefully the owner of the missing object remembered to add his contact information including a phone number and a message.
This should be alarming to Apple because the AirTag hack might allow someone to stalk a particular AirTag user. Apple already sends out an alert when an AirTag that doesn’t belong is discovered “traveling” with a family. As for the possibility that an AirTag can be hacked to create a security problem, it looks like it has proven to be very possible and Apple will need to respond.