Apple has acknowledged that it’s aware of a serious vulnerability plaguing its personal item tracker, dubbed AirTag. The nasty bug allows nefarious actors to redirect the person who finds and scans a lost AirTag to a phishing website instead of the Apple one. The company has confirmed it is working on a fix, saying the solution will be arriving in the next software update.
- AirTag has a major vulnerability that’s perfect for phishing scams
- It turns the device’s Lost Mode into a potential attack vector
- Attackers can inject rogue code into Lost Mode’s phone number field
- Scanning such a device could redirect you to a phishing website
- Apple will deliver a fix in the next update, but no date is known
Apple promises to fix the AirTag’s Lost Mode vulnerability
Putting an AirTag in Lost Mode via the Find My app lets you add a custom message that the person who finds the accessory can reveal on a special webpage at found.apple.com. The owner’s custom message to the finder may include their phone number or email address. This information is shown when scanning a lost AirTag with any NFC-equipped smartphone without requiring any login or password. Read: How to correctly scan an AirTag with your phone
But as KrebsOnSecurity has discovered, a major oversight in this system could be easily abused for nefarious purposes, such as various phishing scams. A victim basically trusts they’re being legitimately asked to sign in to iCloud so they can get in contact with the owner of the AirTag whereas in reality their credentials are being hijacked.
An attacker can create weaponized AirTags, and leave them around, victimizing innocent people who are simply trying to help a person find their lost Airtag.
The vulnerability could also be leveraged to run attacks like session token hijacking or clickjacking. Apple will deliver a fix in an upcoming update, but no release date is known.
How the AirTag Lost Mode vulnerability works
KrebsOnSecurity explains that a vulnerability in Apple’s system allows an attacker to embed arbitrary computer code into the phone number field. When someone finds a lost AirTag with rogue code injected into the phone number field, then scans the accessory, they may be sent to a malicious site that could fool them into providing their iCloud credentials.
“I can’t remember another instance where these sort of small consumer-grade tracking devices at a low-cost like this could be weaponized,” security consultant Bobby Raunch was quoted as saying. In a back-and-forth via email between Rauch and Apple, the company informed him that it planned to address the weakness in an upcoming update.
So does that mean that you should stay away from lost AirTags you may stumble upon?
What to do if you find a lost AirTag
If upon scanning a lost AirTag you’re taken to a webpage that looks like the iCloud login webpage or any similar webpage requiring you to log in, you should immediately navigate away.
Scanning a lost AirTag should always open a webpage at found.apple.com, and that page requires no login whatsoever to reveal underlying information about the AirTag.