The AirTag feature, which allows any person with a smartphone to scan a lost AirTag to find the owner's contact information, can be abused for phishing scams, a new report has now revealed.
When an AirTag goes into Lost Mode is transferred, it generates a URL for https://found.apple.com and allows the AirTag owner to store a phone number or email address. Anyone who scans the AirTag using the NFC interface will then be automatically redirected to this URL with the owner's contact information, without the need for a login or personal data to view the contact details provided.
“Lost Mode”: Phone number field could be abused for phishing
According to KrebsOnSecurity prevented However, Lost Mode does not allow users to insert arbitrary code into the phone number field, so a person scanning an AirTag can be redirected to a fake iCloud login page or other malicious website. Someone who is unaware that no personal information is required to view an AirTag's information could then be tricked into providing their iCloud login credentials or other personal information. Alternatively, the redirection could also download or otherwise execute malicious software. This particular AirTag vulnerability was discovered by security consultant Bobby Raunch, who told KrebsOnSecurity that the vulnerability makes AirTags dangerous.
I can't think of any other case where these small, inexpensive consumer tracking devices could be used as a weapon.
Vulnerability: Apple asks for silence
According to his own statements, Rauch contacted Apple on June 20th. Interestingly, the company needed several months to investigate the case. Last Thursday, Apple informed Rauch that the vulnerability would be fixed in an upcoming update. In response, Apple asked him to keep quiet. Rauch then wanted to know whether he would receive a reward. Apple itself did not respond to his question as to why it decided to make the vulnerability public. KrebsOnSecurity quotes Rauch as follows:
I told them: I'm willing to work with you if you can tell me when you plan to fix the vulnerability and if there will be an acknowledgement or a bug bounty payout. He told Apple that he planned to publish his findings within 90 days of the report. The response was: "We would appreciate it if you didn't publish this.
Just last week, security researcher Denis Tokarev disclosed several zero-day vulnerabilities in iOS after Apple ignored his reports and did not fix the problems for several months. Apple has since apologized, but the company continues to be criticized for its bug bounty program and the slowness with which it responds to important reports like this one. (Photo by Unsplash / Đức Trịnh)
