A security researcher has shown that AirTags can be weaponized by injecting code into the phone number field before placing it into Lost mode and dropping it in strategic places. Apple has confirmed the finding.
When someone finds the AirTag and scans it, they will be redirected to the website of the attacker’s choice, which could include a fake iCloud login to report the find …
Boston-based security consultant Bobby Rauch discovered the vulnerability back in June, informed Apple, and said he would allow the company 90 days before publicly disclosing the flaw. This 90-day period is common practice in the security field, allowing a company enough time to issue a patch while incentivizing them to do so promptly.
However, he said that Apple failed to fix it within the 90-day period, and also did not tell him when it would do so, whether he would be credited, and whether he would qualify for a bug bounty. Accordingly, he has now disclosed the vulnerability.
Apple has been criticized by the infosec community for the way it responds to zero-day flaw reports.
When someone finds an AirTag attached to an item, they can scan it with their iPhone or Android phone. That will display a phone number entered by the owner, and also direct them to a personalized link at https://found.apple.com that enables them to alert the owner.
However, Raunch found that it’s possible to inject XSS code into the phone number field.
An attacker can carry out Stored XSS on this https://found.apple.com page, by injecting a malicious payload into the Airtag “Lost Mode” phone number field. A victim will believe they are being asked to sign into iCloud so they can get in contact with the owner of the Airtag, when in fact, the attacker has redirected them to a credential hijacking page.
That will cause the good samaritan who scanned the AirTag to be redirected to another website. A likely one would be a phishing attack using a clone of the genuine site that asks them to log in with their iCloud credentials. If the finder scanned the tag with their iPhone, they might think nothing of this, login and have their credentials stolen. If the fake website then directs them back to the real one, they may be completely unaware anything is wrong.
Rauch says that other code could also be injected.
Other XSS exploits can be carried out as well like session token hijacking, clickjacking, and more. An attacker can create weaponized Airtags, and leave them around, victimizing innocent people who are simply trying to help a person find their lost Airtag.
The video below shows the exploit in action. A tech-savvy person would likely spot that the URL has changed, but a real attacker would of course purchase a plausible-looking domain so that it would look less suspicious.
This type of attack could easily be targeted against specific individuals or companies by dropping it in places like next to their car in a work parking lot, or outside their home.
Apple says that it does plan a fix, but no date is known, so for now, this vulnerability remains. If you do find an AirTag, note that no login is required to report it.