2 min read

Beware poisoned Apple AirTags that exploit unpatched "Lost Mode" flaw

Graham CLULEY

September 30, 2021

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Beware poisoned Apple AirTags that exploit unpatched "Lost Mode" flaw

If you're unlucky enough to mislay your Apple AirTag tracking device, or the item it is attached to, then never fear.  Apple AirTags have a feature that allows anyone who finds one to scan it with their smartphone, and be taken to information which lists the owner's phone number so your property can be returned to you.

That's very cool.  But what isn't cool is that the feature can be abused to deliver malware or steal credentials from the unwitting Good Samaritan who is trying to locate an AirTag's genuine owner.

Security researcher and penetration tester Bobby Rauch has shared details of the security flaw after failing to receive an adequate response from Apple.

As Rauch describes, Apple has so far ignored a security vulnerability in the "Lost Mode" functionality of AirTags which allows an attacker to weaponise the information displayed when the location-tracking device is scanned via near-field communication (NFC).

Someone who finds a lost AirTag and scans it with their smartphone finds themselves taken to a webpage at https://found.apple.com, containing custom instructions on how to contact the device's owner.

However, Apple has not prevented the planting of a malicious script in the phone number field by the AirTag's owner.  Cross-site scripting code planted in the phone number field could redirect visitors to a fake iCloud login page, or trick users into downloading a malicious app.

Rauch explains:

"Other XSS exploits can be carried out as well like session token hijacking, clickjacking, and more. An attacker can create weaponised AirTags and leave them around, victimising innocent people who are simply trying to help a person find their lost AirTag."

In short, the security failing could be exploited by a hacker to perform an equivalent attack to leaving malware-infected USB sticks lying around in the car park of a company they want to break into.

Sooner or later, someone will find the AirTag and attempt to scan it to find its true owner - and could end up having their credentials phished, or malware planted, as a result.

At the time of writing Apple has not patched the flaw, despite being informed about it by Rauch in June.  Until the problem is fixed, exercise caution when scanning lost AirTags, just in case a malicious hacker is attempting to trick you - a Good Samaritan - into handing over your iCloud passwords or installing malware.

tags


Author



Right now

Top posts

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

June 22, 2022

1 min read
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read
John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

April 15, 2022

3 min read
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

April 14, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

FTC warns LGBTQ+ community of extortion scams targeting them on dating apps FTC warns LGBTQ+ community of extortion scams targeting them on dating apps
Graham CLULEY

July 01, 2022

2 min read
OpenSea Breach Exposes 1.8 Million Email Addresses. How does it affect you? OpenSea Breach Exposes 1.8 Million Email Addresses. How does it affect you?
Radu CRAHMALIUC

June 30, 2022

3 min read
Dealing with Cyberbullying as Adults and Children through Communication - School Presentation Inside Dealing with Cyberbullying as Adults and Children through Communication - School Presentation Inside
Silviu STAHIE

June 30, 2022

2 min read