AirTags, Apple’s Bluetooth device item tracking tools, are designed with good intentions: they are useful for attaching to important things such as keys and luggage to make it easier to track them down. However, these devices obviously also come with a small flaw in the design that could allow an unscrupulous person to use them in a malicious way.
Bobby Rauch, a penetration tester and security researcher, recently contacted a blogger about cyber security Brian Krebs on the exploitation he discovered and which would allow tracking devices to be used as a potential vector for theft of letters of credit and data theft. An attack, which exploits Apple’s way “Lost mode” set up, it could target an unsuspecting good Samaritan – someone who finds an AirTag left in a public place and wants to return the item to the appropriate owner.
When they disappear, AirTags can be remotely tracked via Apple’s Find my app, but the person who finds the lost tag can also help return it to the owner. AirTag can be scanned via an NFC reader on an iPhone or Android device and if the AirTag is set to “Lost mode, ”The detector will automatically find all contact information related to the device. AirTag owners can set this up through Find My to include a phone number or email address, and you can enter a short message – probably something like, “Hey, this is mine, go back to XYZ.” When someone finds and scans the AirTag, they will automatically be prompted on their phone to visit a unique URL that displays the owner’s contact information and message. In essence, it is similar to the concept of dog tags, which usually come equipped with contact information where a lost puppy can be returned.
However, while this is a benevolent feature, it still opens up a good Samaritan for a potential attack. This is because there is currently nothing to prevent the AirTag owner from inserting an arbitrary code into the device’s phone number field URL. Such code could be used to send AirTag Finder to a phishing site or other malicious website intended to collect credentials or steal their personal information, Rauch recently told Krebs. In theory, a malicious movement could therefore buy AirTags with the special purpose of turning them into malicious Trojans, and then leave them scattered around for a person who has no doubt to pick up.
Krebs appropriate compares this to that classic ploy in which a hacker will leave an indescribable flash drive lying – usually in a company parking lot or some other public space. Eventually, some curious, unfortunate person will pick up that USB drive and plug it into their computer, quietly releasing all the malware hidden in it. Similarly, a bad actor could conspicuously leave the AirTags lying along with a “lost” item or two, and just wait for someone to pick it up and try to helpfully return it to its rightful owner.
Apple has obviously reacted slowly to this question. Rauch, who discovered the feat, said Krebs that he approached the company in June and was basically blown up. For three months, Apple officials only told Rauch that they were “still investigating” his claims, but did not undertake to make the problem public or tell him if he had qualified for their bug upgrade program. Finally, when Rauch contacted Krebs last Friday, the company finally contacted him and said they were planning to fix a bug in the upcoming update. He was also asked not to publish his findings.
However, Rauch did just that, writing your blog it explains how exploitation works: “An attacker can create armed AirTags and leave them nearby, sacrificing innocent people who are simply trying to help a person find a lost AirTag,” he writes.
We contacted Apple for comment on all of this. They did not contact us at the time of publication. We will update this story if they respond.
Friendly communicator. Music maven. Explorer. Pop culture trailblazer. Social media practitioner.