Apple AirTags Are Being Weaponized Against Good Samaritans With This Security Exploit
A security researcher has discovered an Apple AirTags vulnerability that can effectively turn an affordable tracker into a cheap phishing lure. This is made possible through the tracker's "Lost Mode," where the intention is that if a user loses their AirTag, they can mark it as missing. Supposing an honest individual comes across the lost tracker, a custom link will send them to a website with the owner's phone number and whatever message they might want to leave.
Good intentions can lead to bad deeds, however, and this same feature can be used against people who are trying to do the right thing. In what seems like a glaring oversight on Apple's part, it is entirely possible for an unscrupulous person to buy a $29 AirTag, inject it with malicious code, and then drop in into the wild and wait for a victim to find it.
Security researcher Bobby Rauch explains in a blog post that the phone number field in an AirTag's Lost Mode is not properly secured. By filling it with malicious code instead of an actual phone number, an attacker essentially weaponizes a cheap tracking device, turning it into a sort of modern day Trojan Horse, or a clever phishing lure.
Call it whatever you want, this sort of thing should not be possible. But it is—with the right code in place, a person who finds a lost AirTag could unwittingly be redirected to a spoofed website that looks like the real iCloud login page. They then enter in their details, their login information gets immediately sent to the hacker's server. Like this...
Piece of cake, for someone who knows what they are doing. And according to Rauch, that is just one example of how this can be exploited.
"There are countless ways an attacker could victimize an end user who discovers a lost AirTag. Since AirTags were recently released, most users would be unaware that accessing the https://found.apple.com page doesn’t require authentication at all... Further injection attacks could occur through the Find My App, which is used to scan third-party devices that support 'Lost Mode' as part of Apple’s Find My network," Rauch explains.
Rauch told KrebsOnSecurity that he alerted Apple about the AirTags bug back in mid-June. For the next three months, he says Apple would only say it is investigating the matter, when he would inquire about it. Then last week, Rauch says he received an email from Apple saying it planned on patching the security hole in a future update, and asked if he would refrain from publicly disclosing it.
The security researcher said he was willing to work with Apple if it could answer some questions, like what the timeline would be for a fix, if he would be credited with finding the bug, and if he would eligible for a bug bounty. Apple's response was apparently less than satisfactory. Rauch had previously said he would disclose the bug after 90 days, and that's exactly what he has done.
Fortunately, this should be a fairly easy thing for Apple to fix. Let's hope they get around to it sooner than later. In the meantime, you can check out Rauch's blog on the AirTugs vulnerability for more details.