Apple’s security issues: Last week, the company fixed a vulnerability in macOS, while now it’s facing a backlash over an amateur AirTags vulnerability that’s been known for months and hasn’t bothered to fix.
AirTags are small trackers that attach to backpacks, bags, luggage and other valuables. If someone loses their AirTag-equipped bag, they can track their location using the “Where Is” network, which is operated anonymously by iPhones and other Apple devices.
But most often, lost things are found by strangers. That’s why AirTag has “Lost Item Mode,” a setting that allows the golden-hearted stranger to scan the tracker to see the owner’s phone number. Scanning is easy – just tap AirTag on your iPhone.
Unfortunately, a design flaw in AirTags could turn trackers into tools for hackers.
As security researcher Bobby Rauch discovered, Apple does not “sanitize” the phone number entry field AirTag owners fill in when setting up their trackers. In fact, you can enter anything into this input field, including malicious code.
This is a big problem. When a missing AirTag is checked, it “transfers” the owner’s phone number to the iPhone. The iPhone then embeds the phone number in the https://found.apple.com/ web page. And therefore, If the missing AirTag phone number field is full of malicious XSS code, Apple’s website will include it, no questions asked.
This vulnerability makes targeted phishing attempts very easy. A hacker could program a fake iCloud login box to show when a “missing” AirTag was checked, for example. The hacker can then place this AirTag near the victim’s car or front door to make sure it is detected and scanned.
Hackers can also exploit this vulnerability to activate browser-based zero-day exploits on the iPhone. These vulnerabilities may cause your iPhone to crash or damage, but honestly, there are much easier ways to achieve such feats.
Apple has not commented publicly on the issue.
Technically, the solution should be very simple. Apple does not need to send the iPhone or AirPods update; It just has to make sure that the https://found.apple.com/ web page “cleans up” the incoming phone numbers. We hope Apple will take steps to completely fix this problem.
However, this news should not dissuade you from scanning AirTags, although it will make you more vigilant. If you’re asked to sign in to iCloud or another account after scanning an AirTag, for example, something goes wrong: Apple doesn’t ask for any sign-in information when scanning an AirTag.
However, no one is forcing you to erase AirTag. If you find a missing item using AirTag and you are not comfortable scanning it, You can take it to the nearest Apple Store (or at the police station). Just know that there’s probably nothing wrong with scanning it, as long as you don’t type any login information into the AirTags browser popup.
“Web fanatic. Travel scholar. Certified music evangelist. Coffee expert. Unapologetic internet guru. Beer nerd.”