Apple’s AirTags make it easy to phishing people and stealing their Apple accounts, says a security researcher.
Bobby Rauch, a cybersecurity advisor from the Boston area, said in a blog post today (Sept. 28) that Apple is making it too easy to inject malicious code into the online messages that AirTag owners can leave for anyone who has theirs finds lost tracking discs.
“I can’t think of any other case where these types of small consumer tracking devices could be used as a weapon at low cost,” Rauch told independent safety reporter Brian Krebs, who first reported the story.
Tom’s Guide has approached Apple for a comment, and we’ll update this story when we get a response.
This is how to avoid this type of attack
To protect yourself from this type of attack, you don’t have to sign in to iCloud or your Apple account to report an AirTag that is found.
You should also enable two-factor authentication to make it more difficult for an attacker who does not own an Apple device to sign in to your Apple account, even if that attacker has your Apple username and password.
If you believe your Apple ID has been phished or otherwise stolen, change your Apple password immediately.
Injection without detection
In a series of YouTube clips posted on Medium, Rauch showed how, using off-the-shelf software, he could insert an invisible script into the phone number field that an AirTag owner fills out when reporting a lost AirTag to Apple.
An iPhone user who encountered the lost AirTag would wirelessly connect their iPhone to it, which in turn would force the iPhone to open a page specific to that lost device at found.apple.com.
Typically, this Found page contains information on how to contact the rightful owner of the lost AirTag. But in this case, the hidden script would secretly redirect the victim’s iPhone to what would look like a standard iCloud login page, but in reality would be a phishing page willing to reveal the Apple username and password of the Steal the victim.
“Since Airtags were released recently, most users are unaware that no authentication is required to access https://found.apple.com,” Rauch wrote on Medium. “The link https://found.apple.com can also be used as a phishing link and shared via a desktop / laptop without a mobile device having to scan the airtag.”
Easy to fix, not so easy to miss
Rauch told Krebs that he told Apple about the vulnerability in June, but that Apple sat on it for three months while the company investigated. After the three-month period had passed – which was generally considered long enough for a security researcher to wait before discovering an unresolved bug – Rauch turned to cancer.
Krebs contacted Apple for comment, after which Apple sent Rauch an email asking him not to publicly discuss the vulnerability. Rauch apparently refused, telling Krebs that he had never been given a schedule of when the bug would be fixed, whether he would be credited with finding it, or whether he would get some kind of “bug bounty” at all.
Last week, another security researcher, tired of waiting for Apple to fix the bugs he discovered, simply posted exploits for those bugs online.
Rauch told Krebs that patching this problem simply involves blocking certain characters from the input fields on the Found page.
“It’s a pretty easy thing to fix,” said Rauch. “Having said that, I can imagine her [Apple] probably also want to find out how that was overlooked in the first place. “