Apple’s latest security issues are both devastating and ridiculous. Last week, we found out that the company patched a macOS exploit in the laziest way, and now the company is facing backlash for an amateur AirTags vulnerability that it has known about for months and never bothered to fix .
AirTags does not clean “phone numbers”
AirTags are small trackers that attach to backpacks, purses, luggage and other valuables. If someone loses their AirTag-equipped bag, they can track its location using the Find My network, which is anonymously powered by iPhones and other Apple devices.
But more often than not, lost items are found by strangers. Therefore, AirTags has a “lost state”, an option that allows Good Samaritans to scan the tracker to see the owner’s phone number. Scanning is easy – you just touch the AirTag with your iPhone.
Unfortunately, a design flaw in AirTags can turn trackers into cheap fall attack tools. As discovered by security researcher Bobby Rauch, Apple is not clearing the phone number field that AirTag owners fill in when setting up their trackers. You can keep everything in this input field, including malicious code.
And that’s a big problem. When you scan a lost AirTag, it gives its owner the “phone number” of your iPhone. Your iPhone then integrates the “phone number” ia https://found.apple.com/ Homepage. So if a lost AirTags phone number field is full of malicious XSS code, the Apple website will integrate it without being asked questions.
This vulnerability makes targeted phishing attempts extremely easy. A hacker can program a fake iCloud login box to show up when their “lost” AirTag e.g. Scans. They could then plant this AirTag near a victim’s car or front door to ensure it was detected and scanned.
Hackers can also use this vulnerability to trigger browser-based zero-day exploits on an iPhone. These farms can crash or destroy your iPhone, but to be fair, such exploitation will not really benefit a hacker (and there are much easier ways to deliver such farms).
Apple spent months sitting on its hands
Bobby Rauch, the researcher who discovered this vulnerability, reported it to Apple on June 20th. The company spent three months telling Rauch that it was investigating the problem, and refused to tell him if he would receive credit or a bounty for his discovery (these are standard rewards for following Apple’s bug bounty program).
Apple asked Rauch not to “leak” the bug, but refused to work with him or provide a timeline for a patch. He warned the company that he would take the vulnerability publicly after 90 days, and finally he did so in a Medium blog post. Still, Apple has not commented on the issue publicly, although it has previously told Rauch that it intends to resolve the issue.
Technically, this should be a very easy solution. Apple does not have to push an update for iPhone or AirPods; it just has to do https://found.apple.com/ web page cleans incoming “phone numbers”. But I hope Apple takes the plunge complete solve this problem. The company keeps making stupid mistakes and pushing half-robbed patches to things that should have been safe at launch.
Not to mention, Apple refuses to communicate with people trying to report issues through its official bug bounty program. If Apple is serious about security, it should quickly tackle software vulnerabilities and start treating security experts with respect. After all, many of these security experts do Apple’s work for free.
Is it safe to scan AirTags?
This news should not deter you from scanning AirTags, though it should make you more vigilant. If you are prompted to sign in to iCloud or another account after scanning an AirTag, for example, something is about to happen – Apple does not ask for any login information when scanning a legitimate AirTag.
An AirTag left by itself is also a red flag … sort of. Because these trackers do not have built-in keychain straps, they can roll out of bags or escape from cheap holsters. In most cases, a lone AirTag is the result of carelessness.
Anyway, no one is forcing you to scan AirTags. If you find a lost item with an AirTag and are not familiar with scanning it, you can take it to the Apple Store (or a police station, I think) and make it their problem. Just know that there is probably no harm in scanning it as long as you do not enter any login information in the AirTags browser popup.
Source: Bobby Rauch via Cancer on Safety, Ars Technica