Apple’s AirTags make it easy to phish people and steal their Apple accounts, a security researcher says.
Bobby Rauch, a Boston-area cybersecurity consultant, said in a blog post today (Sept. 28) that Apple makes it too easy to sneak malicious code into the online messages that AirTag owners can leave for anyone who finds their lost tracking discs.
“I can’t remember another instance where these sort of small consumer-grade tracking devices at a low cost like this could be weaponized,” Rauch told independent security reporter Brian Krebs, who first reported this story.
Tom’s Guide has reached out to Apple for comment, and we will update this story when we receive a reply.
How to avoid this kind of attack
To protect yourself from this sort of attack, be aware that you don’t need to log into iCloud or your Apple account to report a found AirTag.
You should also enable two-factor authentication to make logging into your Apple account difficult for an attacker who does not possess one of your Apple devices, even if that attacker has your Apple username and password.
If you think your Apple ID has been phished or otherwise stolen, change your Apple password right away.
Injection without detection
In a series of YouTube clips posted on Medium, Rauch showed how he could use off-the-shelf software to inject an invisible script into the phone-number field that an AirTag owner fills in when reporting a lost AirTag to Apple.
An iPhone user who came across the lost AirTag would connect their iPhone to it wirelessly, which, in turn, would force the iPhone to open a page at found.apple.com specific to that lost device.
Normally, that Found page would contain information about contacting the lost AirTag’s rightful owner. But in this case, the hidden script would secretly redirect the victim’s iPhone to a page that would look like a standard iCloud login page, but would really be a phishing page ready to steal the victim’s Apple username and password.
“Since Airtags were recently released, most users would be unaware that accessing the https://found.apple.com page doesn’t require authentication at all,” Rauch wrote on Medium. “The https://found.apple.com link can also be used as a phishing link, and shared via a desktop/laptop, without the need for a mobile device to scan the Airtag.”
Easy to fix, not so easy to overlook
Rauch told Krebs that he told Apple about this vulnerability in June, but that Apple sat on it for three months while the company investigated. After the three-month mark passed — generally regarded as long enough for a security researcher to wait before disclosing an unpatched flaw — Rauch reached out to Krebs.
Krebs contacted Apple for comment, soon after which Apple emailed Rauch and asked him not to discuss the vulnerability in public. Rauch obviously declined, telling Krebs he never got a timeline about when the bug would be fixed, whether he’d be credited with finding it, or whether he’d get any kind of “bug bounty” at all.
Last week, another security researcher, fed up with waiting for Apple to patch the flaws he’d discovered, simply put exploits for those flaws online.
Rauch told Krebs that patching this issue involves simply banning certain characters from the Found page’s entry fields.
“It’s a pretty easy thing to fix,” Rauch said. “Having said that, I imagine they [Apple] probably want to also figure out how this was missed in the first place.”
