AirTags, Apple’s Bluetooth object trackers, were designed with good intentions – they’re useful for attaching important items like keys and luggage to help you find them if they get lost. However, these devices also apparently have a small design flaw, a that could allow an unscrupulous individual to use them maliciously.
Penetration tester and security researcher Bobby Rauch recently contacted a cybersecurity blogger Brian Krebs about an exploit he discovered that would allow tracking devices to be used as a potential vector for credential hijacking and data theft. The attack, which takes advantage of the way Apple “Lost mode” is set up, could target an unsuspecting Good Samaritan – someone who finds an AirTag left in a public place and wants to return the item to its appropriate owner.
When they disappear, AirTags can be tracked remotely via Apple Find my app, but a person who finds a lost tag can also help return it to its owner. An AirTag can be scanned via the NFC reader of an iPhone or Android device, and if the AirTag has been placed in “Lost mode“, it will automatically reveal to the searcher all of the contact information that has been associated with the device. AirTag owners can configure this via Find My to include a phone number or email address and can also type in a short message – probably something like “Hey, this is mine, please go back to XYZ.” When someone finds and scans the AirTag, they’ll automatically be prompted on their phone to visit a unique URL that displays the contact information and owner’s message. Essentially, it’s a similar concept to name tags, which usually come with contact information for where to return a lost dog.
However, while this is a well-meaning feature, it nonetheless opens up the Good Samaritan to potential attack. This is because nothing currently prevents an AirTag owner from injecting an arbitrary code into the phone number field of the device’s URL. Such code could be used to send the AirTag search tool to a phishing site or other malicious web page designed to collect credentials or steal their personal information, Rauch recently told Krebs. In theory, a disgruntled creep could buy AirTags for the specific purpose of converting them into malicious Trojans, and then leave them strewn about for an unsuspecting person to retrieve.
Krebs rightly compared this to that classic ploy in which a hacker will leave any USB key lying around, usually in a company parking lot or other public space. Eventually, a curious and unhappy person will take this USB drive and plug it into their computer, thus silently releasing any malware hidden inside. Likewise, a bad actor could obviously leave AirTags lying around with one or two âlostâ items, and wait for someone to pick it up and try to usefully return it to its rightful owner.
Apple has apparently been slow to react to this problem. Rauch, who discovered the feat, said Krebs that he reached out to the company in June and they basically blew it up. For three months, Apple officials simply told Rauch that they were still “investigating” his allegations, but would not commit to publicly disclosing the problem or telling him if he was qualified for their task. bug bounty program. Finally, when Rauch contacted Krebs last Friday, the company finally responded and said they plan to fix the bug in an upcoming update. They also asked him not to publish his findings.
However, Rauch has now done just that, writing his own blog this explains how the exploit works: “An attacker can create armed AirTags and leave them there, victimizing innocent people who are just trying to help someone find their lost AirTag,” he wrote.
We reached out to Apple to comment on all of this. At the time of publication, they had not responded to us. We will update this story if they respond.