AirTags are small, lightweight, and therefore quite easy to lose. But it turns out Apple’s solution for tracking down a lost AirTag includes a serious security flaw.
When Apple released the AirTag, a small, puck-shaped tracker, it included a “Lost Mode” in case you can’t locate your lost tracker using the Find My app. Lost Mode allows you to create a custom message to be displayed when your AirTag is found by someone else and scanned using NFC on either an iOS or Android device. This also presents your contact details to help reunite you with the AirTag.
As KrebsonSecurity reports, security consultant and penetration tester Bobby Rauch discovered that Lost Mode can be used maliciously. Enabling Lost Mode generates a unique https://found.apple.com page containing the AirTag’s serial number, a personal message, and a phone number. However, due to a security oversight a malicious user can also add a payload in the form of a script attached to the phone number field.
A number of exploits can be used, but ultimately the good samaritan who picked up the AirTag can face the prospect of having their credentials stolen, for example, by being redirected to a cloned iCloud login page ready to collect their login details. If this sounds familiar, it’s the equivalent of a malicious USB stick dropped on the floor (or arriving in the mail) waiting for a victim to pick it up and plug it into a PC.
Rauch reported the vulnerability to Apple on June 20 and they asked him not to talk about it, but a fix has yet to be released. Apple has since confirmed to Rauch that a fix is in the works, but through a combination of frustration and a desire to make people aware of this risk, Rauch decided to share the details publicly. So until Apple fixes this zero-day flaw, be weary of picking up and scanning a “lost” AirTag as it may well be a trap waiting for its next victim.
