A security researcher is sounding the alarm on an AirTag vulnerability that could allow a hacker to lead unsuspecting users to an iCloud phishing page.
The problem stems from the AirTag’s Lost Mode, which allows someone who finds a stranded AirTag to take steps to locate it and return it to the user. When the owner enables Lost Mode, it can display a phone number or address on a specialized found.apple.com website. However, according to Bobby Rauch (via Krebs on Security), Apple’s Lost Mode “doesn’t currently stop users from injecting arbitrary computer code into its phone number field,” which could lead an unsuspecting AirTag retriever to a phishing site.
The most common threat would be to add code that sends users to a phishing site that mimics Apple’s iCloud login site and tricks people into typing in their username and password. The report compares the vulnerability to a “malware-laden USB stick” that someone finds and plugs into their computer:
In the modern telling of this caper, a weaponized AirTag tracking device could be used to redirect the Good Samaritan to a phishing page, or to a website that tries to foist malicious software onto her device.
Rauch, who originally discovered the bug in June, says there are “countless ways an attacker could victimize an end user who discovers a lost AirTag.” He contacted Apple months ago but claims researchers at the company only last week told him that the vulnerability would be addressed in an upcoming update.
Apple’s AirTag is a Bluetooth tracking device that can attach to another device using a ring or key tag. It lets users track non-Apple devices in the Find My app and locate items with pinpoint accuracy using ultra-wide band technology.
Rauch told Krebs on Security that Apple’s “lack of communication” prompted him to go public with his findings. He also says Apple asked him to keep it private. Another security researcher called out Apple recently for fixing a zero-day iOS vulnerability without crediting him. Apple offers up to a million dollars for uncovering flaws and vulnerabilities in its Security Bounty Program.
