AirTags, Apple’s Bluetooth-enabled item trackers, were designed with good intentions – they’re useful for attaching to important things like keys and luggage to help you find them if they get lost. However, such devices apparently also have a small design flaw: one that could allow an unscrupulous person to use them maliciously.
Bobby Rauch, penetration tester and security researcher, recently contacted a cybersecurity blogger Brian Krebs about an exploit he had discovered that would allow tracking devices to be used as a potential vector for credential hijacking and data theft. The attack, which takes advantage of the way Apple “Lost mode” is set up, it could target an unsuspecting Good Samaritan, someone who finds an AirTag left in a public place and wants to return the item to its proper owner.
When they disappear, AirTags can be remotely tracked via Apple Find my appBut someone who finds a lost tag can also help return it to its owner. An AirTag can be scanning via the NFC reader of an iPhone or Android device, and if the AirTag has been placed on “Lost mode, ”It will automatically reveal to the browser any contact information that has been associated with the device. AirTag owners can configure this via Find My to include a phone number or email address and you can also enter a short message, probably something like “Hey, this is mine, go back to XYZ”. When someone finds and scans the AirTag, they will automatically be prompted on their phone to visit a unique URL that displays the owner’s contact information and message. In essence, it is a concept similar to dog tags, which generally come equipped with contact information on where to return a lost dog.
However, while this is a well-intentioned feature, it nonetheless opens up the Good Samaritan to possible attack. That’s because there is currently nothing to prevent an AirTag owner from injecting arbitrary code into the phone number field of the device URL. Such code could be used to send the AirTag search engine to a phishing site or other malicious web page designed to collect credentials or steal your personal information, Rauch I recently told Krebs. In theory, a disgruntled jerk could buy AirTags for the specific purpose of turning them into malicious Trojans, then leave them scattered around for an unsuspecting person to pick them up.
Krebs rightly compare This to that classic tactic where a hacker will leave a nondescript flash drive lying around, usually in a business parking lot or some other public space. Eventually some curious and unfortunate person will take that USB drive and plug it into their computer, thus silently releasing any malware that lurks inside. Similarly, a bad actor could visibly leave AirTags lying around along with a “lost” item or two, and simply wait for someone to pick it up and try to return it to its rightful owner.
Apple has apparently been slow to respond to this issue. Rauch, who discovered the exploit, told Krebs that he had contacted the company in June and they basically blew him away. For three months, Apple representatives simply told Rauch that they were “still investigating” his claims, but that they would not commit to publicly disclosing the issue or telling him if he qualified for their claim. bug bounty program. Finally, when Rauch reached out to Krebs last Friday, the company finally reached out to him and told him that they planned to fix the bug in an upcoming update. They also asked him not to publish his findings.
However, Rauch has now done just that, writing his own blog That explains how the exploit works: “An attacker can create armed AirTags and leave them around, victimizing innocent people who are simply trying to help a person find their lost AirTag,” he writes.
We reached out to Apple to comment on all of this. At the time of publication, they had not responded to us. We will update this story if they respond.