Apple's AirTags are making it easier to phish people and steal their Apple accounts, says security researcher. [Bobby Rauch, a cybersecurity consultant in the Boston area, in a blog post today (Sept. 28) said Apple is making it too easy for AirTag owners to sneak malicious code into online messages that can be left for people who find a lost tracking disk. He stated that this makes it too easy for the company to.
"I can't recall any other example of such a low-cost, small consumer tracking device being weaponized," Rauch told independent security reporter Brian Krebs, who first broke the story.
Tom's Guide has reached out to Apple for comment.
Note that to protect yourself from this type of attack, you do not need to be logged into your iCloud or Apple account to report a discovered AirTag.
You should also enable two-factor authentication to make it difficult for an attacker who does not own an Apple device to log into your Apple account, even if they have your Apple username and password.
If you believe your Apple ID has been phished or otherwise stolen, change your Apple password immediately.
In a series of YouTube clips posted on Medium, Rauch showed how to use commercially available software to inject an invisible script into the phone number field that AirTag owners fill out when reporting a missing AirTag to Apple .
An iPhone user who finds a lost AirTag wirelessly connects his or her iPhone to the AirTag, which in turn forces the iPhone to open a page dedicated to the lost device on found.apple.com.
Usually, that Found page contains information to contact the rightful owner of the lost AirTag. In this case, however, a hidden script secretly redirects the victim's iPhone to a phishing page that looks like a standard iCloud login page but actually steals the victim's Apple username and password.
"Since Airtags was recently released, most usershttps://found.apple.comページにアクセスしても認証が全く必要ないことに気づかないだろう」とRauch氏はMediumに書いている。「33]のリンクはフィッシングリンクとしても使用でき、Airtagをスキャンするモバイルデバイスを必要とせず、デスクトップ/ラップトップ経由で共有できる。
Rauch told Krebs that he told Apple about the vulnerability in June, but Apple left it alone for three months while the company investigated. After the three months had elapsed, which is generally considered a sufficient time for security researchers to disclose unpatched flaws, Rauch contacted Krebs.
Krebs asked Apple for comment, but shortly thereafter Apple sent an email to Rauch, asking him not to discuss the vulnerability in public. Rauch apparently refused, telling Krebs that he did not get a timeline as to when the bug would be fixed, whether he would be credited with finding the bug, or whether he would get any kind of "bug bounty."
Last week, another security researcher, fed up with waiting for Apple to patch the flaws he had discovered, published exploits of those flaws online.
Rauch told Krebs that to patch the problem, he simply needed to ban certain characters from the Found page input field.
"It's a very simple thing to fix," he said.
"That said, perhaps they [Apple] would like to figure out how this was missed in the first place.
Comments