The new $ 30 AirTag monitoring device Apple has a feature that allows anyone who finds one of those tiny location beacons to scan it with a cell phone and find out its owner’s phone number if the AirTag has been put into lost mode. But according to new research, that same feature can be abused to redirect the Good Samaritan to an iCloud phishing page – or any other malicious website.
AirTag’s “lost mode” allows users to alert Apple when an AirTag is missing. Setting it to lost mode generates a unique URL on https://found.apple.com and allows the user to enter a personal message and contact phone number. Anyone who finds the AirTag and scans it with an Apple or Android phone will immediately see this unique Apple URL with the owner’s message.
Once scanned, an AirTag in lost mode will present a short message asking the finder to call the owner on the specified phone number. This information is displayed without asking the searcher to log in or provide any personal information. But your average Good Samaritan might not know it.
This is important because Apple’s Lost Mode does not currently prevent users from injecting arbitrary computer code into its phone number field, such as the code that causes the Good Samaritan’s device to visit a fake page of Apple iCloud connection.
The vulnerability was discovered and reported to Apple by Bobby rauch, Boston-based security consultant and intrusion tester. Rauch told KrebsOnSecurity that AirTag’s weakness makes devices cheap and possibly physical Trojans very efficient.
“I don’t recall another instance where these kind of small, low-cost, consumer grade trackers like this could be militarized,” Rauch said.
Imagine the scenario where an attacker drops a USB drive loaded with malware in the parking lot of a business they want to hack. Chances are, sooner or later, an employee will pick up that sucker and plug it into a computer – just to see what’s on it (the drive may even be labeled as something tempting, like “Salaries employees”).
If this sounds like a script from a James Bond movie, you are close to it. A USB drive containing malware is most likely the reason American and Israeli cyber hackers got the infamous Stuxnet worm in the internal vacuum grid that supplied Iran’s nuclear enrichment facilities ten years ago. In 2008, a cyberattack describe at the time, “the worst breach of US military computers in history” was traced to a USB drive left in the parking lot of a US Department of Defense facility.
In the modern tale of this adventure, an armed AirTag tracking device could be used to redirect the Good Samaritan to a phishing page or to a website that is trying to get malware into their device.
Rauch contacted Apple about the bug on June 20, but for three months, when he inquired about it, the company simply said it was still investigating. Last Thursday, the company sent Rauch a follow-up email saying it plans to address the weakness in an upcoming update, and in the meantime, wouldn’t he mind talking about it publicly?
Rauch said Apple never answered basic questions it asked about the bug, such as whether they have a timeline to fix it, and if so, whether they plan to fix it. credit in the accompanying safety notice. Or whether its submission would qualify for Apple’s bug bounty program, which promises financial rewards of up to $ 1 million for security researchers who report security bugs in Apple products.
Rauch said he had reported numerous software vulnerabilities to other vendors over the years and that Apple’s lack of communication prompted him make your findings public – even though Apple says to remain silent about a bug until it is fixed, this is how researchers qualify for recognition in security advisories.
“I told them, ‘I’m willing to work with you if you can provide details on when you plan to fix this, and if there would be any bug recognition or premium payment,'” he said. Rauch said, noting that he told Apple he planned to release his findings within 90 days of notification. “Their response was basically, ‘We would appreciate it if you didn’t disclose this. “”
Rauch’s experiment echoes that of other researchers interviewed in a recent Washington post item how fun it can be to report security vulnerabilities to Apple, a notoriously secretive company. Common complaints were that Apple is slow to fix bugs and doesn’t always pay or publicly acknowledge hackers for their reports, and researchers often receive little or no feedback from the company.
The risk, of course, is that some researchers decide that it is less complicated to sell their exploits to vulnerability brokers or on the darknet, who often pay far more than the bug bounty rewards.
There is also a risk that frustrated researchers will simply post their findings online for everyone to see and take advantage of, whether or not the vendor has released a fix. Earlier this week, a security researcher named “illusionofchaos” published articles on three zero-day vulnerabilities in Apple’s iOS mobile operating system – apparently out of frustration for trying to work with the program of Apple’s bug bounties.
Ars Technica reports that on July 19, Apple fixed a bug that llusionofchaos reported on April 29, but which Apple neglected to credit in its security advisory.
“Frustration over Apple’s failure to keep its own promises led the illusion of chaos to first threaten and then publicly abandon this week’s three days zero,” wrote Jim salter for Ars. “In illusionofchaos ‘own words:’ Ten days ago I asked for an explanation and then warned that I would make my research public if I did not receive an explanation. My request was ignored, so I do what I said I would.
Rauch said he realizes that the AirTag bug he discovered is probably not the most pressing security or privacy issue Apple is currently facing. But he said it was also not difficult to fix this particular flaw, which requires additional restrictions on the data AirTag users can enter in the lost mode phone number settings.
“It’s a pretty easy thing to fix,” he said. “Having said that, I imagine they probably also want to understand how it got missed in the first place.”
Apple did not respond to requests for comment.
Update, 12:31 p.m .: Rauch shared an email showing that Apple communicated its intention to fix the bug just hours before – not after – KrebsOnSecurity contacted them for comment. The story above has been edited to reflect this.