The recently discovered weakness of the AirTag allows potential attackers to redirect users to a malicious website when the device is scanned in lost mode, effectively turning the tracker into a Trojan horse.
The lost mode is the Tent AirTag feature which, when activated, allows anyone with an NFC-enabled device to scan the tracking device and read a programmed detection message that may include the owner’s phone number. This feature helps restore lost items like car keys if the Find My network fails to locate the lost AirTag tag.
Researcher Bobby Rauch has discovered a vulnerability that turns Lost Mode into a potential attack vector.
As stated Krebs on security, Lost Mode generates a unique URL at https://found.apple.com, where owners can enter a personal message and phone number if the device is found. Rauch found that Apple’s systems do not prevent the insertion of arbitrary code in the phone number field, which means that the undoubtedly good Samaritans who scan the device can be sent to a malicious website.
“I can’t think of another case where such low-cost consumer-class tracking devices like this could be armed,” Rauch said.
In a Medium post released today, Rauch explains that a stored XSS exploit can be performed to inject malicious payload that redirects to a phishing site that collects sensitive credentials using a keylogger. Rauch says other XSS exploits can be applied, such as session token hijacking and clicks.
The researcher notified Apple of the vulnerability on June 20 and said it planned to release the information in 90 days, according to typical data disclosure protocols. He has since received little information other than statements stating that the company is still investigating the error. Apple did not answer questions about progress in the solution and did not say whether Rauch would be credited with future security warnings, the report said. The company also did not comment on whether the error was eligible for payment through Apple’s Bug Bounty program.
Last Thursday, five days after the 90-day disclosure protection deadline expired, Apple contacted Rauch to say the weakness would be addressed in an upcoming update and asked him not to speak publicly about the bug.
“I told them, I am willing to work with you if you can provide some details on when you plan to correct this, and whether there will be recognition or payment of errors,” Rauch said. “Their response was basically, we’d be grateful if you didn’t post this.”
Rauch went public to protest Apple’s lack of communication, the report said.
Numerous other researchers have expressed frustration over Apple’s bug reporting program, including security researcher Denis Tokarev. Last week, Tokarev described in detail his experience with the Bug Bounty program, saying that he had identified and reported to Apple four shortcomings, but only one had been corrected. Apple later apologized for the delay and said it was still investigating the problems.
AirTag has been an area of interest to the safety research community since its launch in April. Shortly after the device’s premiere, researchers found a method by which AirTag could be used to send short messages over the Find My network.
Friendly communicator. Music maven. Explorer. Pop culture trailblazer. Social media practitioner.