Most of the time Apple’s AirTags can be a lifesaver. You’re late and lost your keys somewhere in your house? If you’ve got an AirTag attached you’ll find them in no time. They also have a cool feature that, if found out in the wild, can be scanned to show its owner’s info. But a recently discovered vulnerability allows would-be attackers to use that feature to redirect people who scan the tag to a website of their choosing.
How it’s supposed to work: Once you’ve lost an AirTag, say in another country or someplace you can’t easily get to, you’re able to activate Lost Mode from the Find My app on your Apple device. Then, the tag generates a unique URL where owners can leave a message with their contact details so that if someone finds it and is feeling like being a good person, they can go about returning it. The tag does this by generating that URL so when someone scans it with an NFC capable device, it automatically redirects them to a webpage containing the relevant details.
But… security consultant and penetration tester Bobby Rauch discovered a vulnerability that allows potential attackers to use this feature against you. Doing so is scarily easy.
In a Medium post, he outlines one of the ways one would go about exploiting this vulnerability. The process involves redirecting whoever scans the tag to a very legit-looking Apple login page that asks the viewer to log in with an Apple ID username and password. The site is not legit, and uses a keylogger to capture your details and sends them to the attacker. That’s a very bad thing.
Everyone to Apple: “I’m in.”
Speaking to Krebs on Security, Rauch says he informed Apple about the vulnerability in June, telling them that he would make the information public in 90 days, as is usual with disclosures of this nature.
According to Rauch, during those three months when he followed up with Apple, the company would say it was still investigating. Then, five days after the 90-day disclosure protection window had expired, Apple responded and said the vulnerability would be patched in an upcoming update and they would appreciate it if he didn’t leak it. But he did anyway, to protest Apple’s lack of communication.
The moral of the story here is that if you locate an AirTag out in the wild and find that, upon scanning, it asks you to log in, don’t. After all, when you find a USB stick lying around somewhere public, your first thought shouldn’t be to plug it in and see what’s on it. That’s how the US Department of Defense was made to look like fools and led to the creation of the US Cyber Command.