A flaw in Apple’s AirTag allows “good Samaritan” attacks

AirTag de Apple

If you find a lost Apple AirTag, you should have extreme care when handling it because it can come with a “prize” as malware, as a researcher has discovered.

Apple AirTags are small smart tags that help us find all those objects that we have lost track of. If set to ‘Lost Mode’, it allows anyone who finds them to scan it with a mobile phone and discover the phone number of its owner. Sounds good but this function can also be abused to implement cyber attacks known as the “good samaritan” that redirect the user to an iCloud phishing page or any other malicious place.

Apple AirTag and security

AirTag’s “Lost Mode” allows users to alert Apple when one of these tags is missing. Setting it up in this mode generates a unique URL at https://found.apple.com and allows the user to enter a personal message and contact phone number. Anyone who finds it and scans it with an iPhone (or Android terminal) will immediately see that unique URL from Apple with the owner’s message.

When scanned, an AirTag in lost mode will present a short message asking the searcher to call the owner at the specified phone number. This information appears without asking the search engine to log in or provide personal information. But the average “Good Samaritan” may not know this. That is important because this mode is currently does not prevent an attacker from injecting arbitrary code in your phone number field with the consequences you can imagine.

The vulnerability was discovered and reported to Apple by Bobby Rauch, a Boston-based security consultant and penetration test tester. Rauch has explained KrebsOnSecurity that this failure makes the devices cheap and possibly very effective physical Trojan horses.

“I can’t recall another case where this kind of small, low-cost, consumer-grade tracking device could become a cyber weapon.”explains the researcher.

If you think it is not dangerous, it has been remembered how the Israelite spies introduced the worm Stuxnet using a USB stick to strike down Iran’s nuclear enrichment facility a decade ago. In 2008, a cyber attack described at the time as “Worst breach of US military computers in history”, was made possible by a USB flash drive that was left in the parking lot of a US Department of Defense facility.

On a practical level, imagine that you find one of these hacked AirTags and connect it to a corporate network to “see what it contains” … Apple has informed the researcher that it is in the process of correcting this vulnerability that it must in any case require additional restrictions on the data that users will be able to include in the phone number settings in Lost Mode.


Leave a Reply

Your email address will not be published. Required fields are marked *