According to security researcher Bobby Raunch, the attack exploits the way Lost Mode of AirTags is set up.
Although Apple’s Bluetooth-enabled item trackers called AirTags are pretty helpful as you can attach important objects like wallets or keys to prevent them from going missing, they are still vulnerable to hacking and not entirely trustworthy.
According to penetration tester and security researcher Bobby Raunch and cybersecurity blogger Brian Krebs, there is an exploit that allows AirTags to be used as credential hacking and data theft vectors.
This issue is attributed to its design flaw that lets hackers use them for malicious purposes.
About the Good Samaritan Attack
The attack exploits the way Lost Mode is set up. It can easily be used to target a good Samaritan, which in this scenario, refers to anyone who finds a lost AirTag and intends to return it to its legit owner.
According to Krebs’ blog post, this is a classic scheme that works pretty much the same way as a hacker leaving a malware-infected flash drive in a public space, such as a company parking lot, and someone picks it up and plugs the drive into their computer, which unleashes the malicious code.
Like this, a threat actor can leave AirTags with a lost item or items and wait for someone to pick it up and try to find the whereabouts of its rightful owner. Hence, a bad actor can easily weaponize the harmless AirTags and use them as trojans.
What’s the Problem?
Reportedly, the problem lies in the software used to design AirTags, as it has a severe design flaw. For instance, scanning an AirTag with an NFC-enabled device, an old Windows phone will cause the web browser to open a page at found.apple.com to offer more details about the specific AirTag.
Usually, only the serial number of the AirTag is displayed, which is also printed in the battery compartment. So, there’s nothing exceptional happening here. But, the real problem occurs when someone places the AirTag in Lost Mode. Then it can potentially show the owner’s contact information, such as a phone number or email address, in case the device is running iOS 15.
This information is taken from the user to be included in Apple’s Find My app, along with a customized message for anyone who finds the lost device/tag. Hence, when someone runs the tag’s Lost Mode, the owner’s personal details will be revealed.
In his blog post, Raunch claimed that Apple has not done anything substantial to secure these numbers/email IDs, while the repercussions of Lost Mode are far too many. Apart from disclosing owner details, a malicious attacker can inject arbitrary computer code in the contact number field, redirecting the finder’s browser away from the legitimate found.apple.com page to a fake page.