Image Courtesy: PC Mag
Whenever the AirTag has been set to lost mode, anybody who discovers one of these tiny position beacons may scan it with a mobile phone and obtain its owner’s phone number. According to a new study, this same functionality may be exploited to reroute the Good Samaritan to an iCloud phishing page – or any other malicious website.
The AirTag’s “Lost Mode” allows users to notify Apple when an AirTag goes lost. When you set it to Lost Mode, it produces a unique URL at https://found.apple.com and allows you to input a personal message and contact number. Anyone who discovers the AirTag and scans it with an Apple or Android phone will see the unique Apple URL with the owner’s message right away.
When scanned, an AirTag in Lost Mode will display a brief message instructing the finder to contact the owner at the phone number provided. This data appears without requiring the finder to log in or submit any personal information. However, an ordinary Good Samaritan may be unaware of this.
This is significant because Apple’s Lost Mode presently does not prevent users from inserting arbitrary computer code into its phone number field — for example, code that directs the Good Samaritan’s device to visit a fraudulent Apple iCloud login page.
Bobby Rauch, a security consultant and penetration tester from Boston, found and reported the issue to Apple. According to Rauch, the AirTag flaw makes the devices inexpensive and potentially highly powerful physical trojan horses.
Rauch stated that he has reported numerous software vulnerabilities to other vendors over the years, and that Apple’s lack of communication prompted him to go public with his findings — despite Apple’s claim that staying silent about a bug until it is fixed is how researchers qualify for recognition in security advisories.
The most prevalent concerns were that Apple takes too long to resolve flaws, that it does not always compensate or publicly acknowledge hackers for their discoveries, and that researchers frequently receive little or no reply from the business.
Rauch admits that the AirTag flaw he discovered isn’t the most urgent security or privacy issue Apple is dealing with right now. However, he claims that it is not difficult to solve this specific problem, which necessitates extra limitations on the data that AirTag users may enter into the Lost Mode’s phone number settings.