AirTag 'Lost Mode' Vulnerability Can Redirect Users to Malicious Websites

[_Spinn_]

Not sanitizing input on a form? Jesus, Apple, this is the most basic of the basic programming mistakes.

That’s what I was thinking too. At least it is any easy fix 🤷‍♂️

Apple isn’t alone with being bad at communicating with security researchers and acting on bug bounties in a timely manner. Seems like Microsoft has had quite a few high profile mess ups this year too.

 

[adib]

But doesn't an AirTag have to be linked to a legitimate iCloud account for it to be activated and then put into Lost Mode in the first place? So why would someone start a phishing attack using a device linked to their personal iCloud account? Seems like a storm in a teacup.

There are plenty of throwaway iCloud accounts. Lately I get iMessage spam from e-mail domains ending with 163.com

 

[Kierkegaarden]

So this researcher is only in it for the money? If someone asked me not to say anything in the case of a security issue, I wouldn’t. Doesn’t anyone believe in goodwill anymore?

 

[Unregistered 4U]

New report from UnregisteredOnSecurity:
I’ve found an exploit that works on the Apple AirTag. If you find an AirTag laying on the ground, pick it up and scan it with your phone, WHILE someone is standing nearby waiting to bash your head in with a hammer while you’re not looking, there’s a VERY good chance that serious PHYSICAL harm could come to you!

I brought this information to Apple’s attention, but they have done absolutely NOTHING to protect their users from physical harm!!

 

[Unregistered 4U]

So this researcher is only in it for the money? If someone asked me not to say anything in the case of a security issue, I wouldn’t. Doesn’t anyone believe in goodwill anymore?

If you know the name of a security researcher, even more so, if they are active on social media, they are, by default, in it for the money. There ARE a lot of security researchers doing a lot of good serious work. You don’t know them, though, because they understand the first word of their job title

 

[JiLoKrJe]

Technically, this is NOT a problem with the AirTag, but the Apple website that supports AirTag. Of course, it is Apple on both sides of the issue, but fixing the website to prevent users from injecting arbitrary computer code into the phone number field is a fairly easy fix. It is also something that should have been caught by Apple's AppSec team. Fixing all AirTags firmware would have been a bigger problem and concern.

 

[Kierkegaarden]

If you know the name of a security researcher, even more so, if they are active on social media, they are, by default, in it for the money. There ARE a lot of security researchers doing a lot of good serious work. You don’t know them, though, because they understand the first word of their job title

Fine — I just don’t like the fact that he’s basically saying pay me or I’m going public with the security issue I found. That’s sleazy.

 

[WilliamG]

These AirTags are the literal opposite of privacy. I’ve had my neighbor’s car keys for hours now with no warning of the AirTag on them. I fail to see how letting people be stalked is a good idea…

 

[haruhiko]

There is something to do with how Find My iPhone works… in most Apple login locations 2-factor authentication is required but Find My due to its nature does not require 2FA so anyone with your login and password can just simply change the ownership of your device in a blink. This process needs an overhaul.

 

[ian87w]

Arrogance

Yeah. This is a company that went from trying to make the best product into one that thinks all of its users are predators.

 

[XXPP]

Bug finders are starting to act like criminals. They blackmail companies and demand money. Otherwise they will publish a bug. Why doesn't the police take care of this?

 

[ian87w]

So you think this mistake, is. sign that Apple doesn't care about security or privacy? Really? Of the thousands of methods out there on every platform that allow hacks, this is a sign to you that Apple is lying when they say they care about security and privacy? I think you are overreacting. Or just haven't thought out what you write.

How hard is it to have better conversation with these group of people? That's the problem. Apple's extended silence can be seen as ignorance and arrogance. Apple, a company that is praised for its marketing prowess, seems to be failing hard in simple forms of communications.

It reminds me how Apple didn't even bother to reply to the invitation for discussion from security experts prior to announcing their mass scanning system. Total arrogance.

 

[ian87w]

Bug finders are starting to act like criminals. They blackmail companies and demand money. Otherwise they will publish a bug. Why doesn't the police take care of this?

If that's the case, then Apple can simply go public, showing the full communications of these people. That will show the intent. Since the bug is already out in the open, Apple has nothing to lose and nothing to give, other than fixing the issue. These people are the ones losing.

But Apple was the one putting out the bounty program to begin with. If they were not fulfilling their end of the bargain, I can see why people can be irked and decided to go public. Often times, public scrutiny is needed for a company, especially a super secretive one like Apple, to actually act properly.

 

[adib]

Fine — I just don’t like the fact that he’s basically saying pay me or I’m going public with the security issue I found. That’s sleazy.

Giving a 90 day grace period for a full disclosure is standard practice. This forces companies to be disciplined in fixing vulnerabilities. Besides, there is no guarantee that other researchers (regardless of their hat colors) could not find the same vulnerability.

 

[Shirasaki]

Although I certainly don't condone Apple hesitating in addressing security issues I'm also starting to view "security researchers" as petty people who put themselves over the security of us all. "Apple didn't commit to recognizing that I found out I can inject some HTML into the AirTags message so now I'm going to go tell the world how to break this," isn't a mature response.

Researchers ain’t robots. They are human, needs to eat, needs to live, and can’t be absolutely altruistic. Call them petty all you want, but if they are dead they can’t work anymore, even for some of the most Noble course out there.

If apple does not acknowledge the issue after months of waiting, apple is the one to blame. Apple as a giant corp having unlimited money should have no issue assembling a team or so dedicated to process these claims and respond. Instead they didn’t, or didn’t do enough.

 

[The_Martini_Cat]

Really super responsible behavior by the “researcher”. Probably multiplied the possibility of some bad actor trying this, which they would otherwise never have even thought of, by a factor of some hundreds. Thanks for nothing, Bubba!

 

[Shirasaki]

Bug finders are starting to act like criminals. They blackmail companies and demand money. Otherwise they will publish a bug. Why doesn't the police take care of this?

Why do police take care of this? I bet you police department also relies heavily on critical software bugs these days for warrantless access of anyones device. Criminal and people fighting criminals, they aren’t fundamentally different from each other.

 

[MacFan782040]

I think AirTags were a mistake. The benefit and revenue vs. confusing security PR they are getting could affect Apple on a more widespread scale

 

[Shirasaki]

I think AirTags were a mistake. The benefit and revenue vs. confusing security PR they are getting could affect Apple on a more widespread scale

Unfortunately, for the company of the size of apple, the scale has to be billions of people before having any tangible impact.

 

[Robert.Walter]

It's good that someone is checking this but I mean it's getting to the ridiculous territory here. If I scan AirTag in hope of helping someone and find that I have to log in I will just not bother.

If they act fast, folks can just remove and replace the battery 5 times to reset them and keep them for their own. (Because there is no pre-loss activation lock feature; what were you thinking Apple??)

 

[Robert.Walter]

There are plenty of throwaway iCloud accounts. Lately I get iMessage spam from e-mail domains ending with 163.com

How do you determine the IPA of incoming iMessages? I didn’t know that was even possible.

 

[matrix07]

If they act fast, folks can just remove and replace the battery 5 times to reset them and keep them for their own. (Because there is no pre-loss activation lock feature; what were you thinking Apple??)

No they can't. AirTag is locked to the iCloud owner. You can keep it for your own ONLY if you have the owner iCloud password.

 

[macfacts]

This isn't an airtag flaw, it's the scanning app flaw, but they're both made by apple.

 

[v3rlon]

"I can't remember another instance where these sort of small consumer-grade tracking devices at a low-cost like this could be weaponized," he said.

So you were born this morning?

Either that or you have no long term memory.

I mean the security issue needs fixing, and good on you for finding it, but to act like you never saw anything like this before is disingenuous at best.

 

[now i see it]

iWeapons available in a 4 pack