Apple: this worrying AirTag flaw is still not corrected
A security expert successfully injected malicious code into an AirTag. It could allow a hacker to use it to perform a targeted phishing operation. Apple has been aware of this for over three months and no fixes have been deployed.
Discover TechPod , the bimonthly summary of tech and mobility news!
This will also interest you
The AirTag , these are small capsules marketed by Apple that are attached, for example to a keychain, a wallet, or any other object to be able to find them in case of loss. Rather than carrying a GPS, to locate the object, these mini beacons use both a Bluetooth transmitter and a module based on an old, but efficient, ultra-wideband radio communication standard ( ultra wideband ). These AirTags would be perfect if they didn’t suffer from a big security flaw that’s embarrassing enough for Apple. He is Bobby Rauch , a hunter , that is to say a hunter of prime in cybersecurity from Boston (United States), which discovered in June that it is possible to transform any AirTag into a vector of contamination to spoof a smartphone. How? ‘Or’ What ? To do this, you have to understand how the AirTag works in practice.
When you declare the lost object via the application of the smartphone and the AirTag is detected by a Good Samaritan, he can scan it with his phone to obtain the owner’s phone number. At the same time, a link generated by the AirTag is displayed so that you can notify via iCloud. However, on the owner’s side, before setting the AirTag to “lost” mode, a cross-site scripting ( XSS ), allows you to inject malicious code into the field used to enter the phone number. Once the AirTag has been found and scanned by the future victim, the code will then display a Web page concocted by the hacker and posing as iCloud. The goal is for the person to log in and enter their credentials.
On this video, we can see the manipulations that make it possible to exploit the AirTags flaw. It is still not sealed by Apple. © Bobby Rauch, YouTube
When Apple turns a deaf ear
Again, this is a phishing method, but any other malicious code can be injected the same way. Used in a very targeted way, this type of attack is ideal for unearthing the credentials of high-ranking people in a large corporation or government organization. It suffices to deposit the keys with an AirTag in a place where it will necessarily be found by the victim in order to be able to drag them unwittingly into the trap. A first step which can then open many other doors inside the computer network of the organization.
The concern is that Bobby Rauch discovered this vulnerability in June. He also took care to inform Apple by giving the firm 90 days to react and publish a fix before publicly disclosing the flaw. However, Apple did not deign to plug the breach or announce the date of a possible update and even less specify if it would give a bug bounty , that is, a bounty to the author of the discovery, as is generally the case. For once, Bobby Rauch publicly revealed this flaw and, faced with his inaction, Apple immediately attracted the wrath of the White Hat , a community which considers that the mark is accustomed to this kind of attitude which consists in ignoring this type of discoveries on their part; for its part, Apple explained that a fix is in preparation, without announcing an availability date.