A security expert successfully injected malicious code into an AirTag. It could allow a hacker to use it to perform a targeted phishing operation. Apple has been aware of this for over three months and no fixes have been deployed.
Discover TechPod , the bimonthly summary of tech and mobility news!
The, these are small capsules marketed by Apple that are attached, for example to a keychain, a wallet, or any other object to be able to find them in case of loss. Rather than carrying a GPS, to locate the object, these mini beacons use both a Bluetooth transmitter and a module based on an old, but efficient, ultra-wideband radio communication standard ( ). These AirTags would be perfect if they didn’t suffer from a big security flaw that’s embarrassing enough for Apple. He is , a hunter , that is to say a in cybersecurity from Boston (United States), which discovered in June that it is possible to transform any AirTag into a vector of to spoof a . How? ‘Or’ What ? To do this, you have to understand how the AirTag works in practice.
When you declare the lost object via theof the smartphone and the AirTag is detected by a Good Samaritan, he can scan it with his phone to obtain the owner’s phone number. At the same time, a link generated by the AirTag is displayed so that you can notify via iCloud. However, on the owner’s side, before setting the AirTag to “lost” mode, a ( ), allows you to inject malicious code into the field used to enter the phone number. Once the AirTag has been found and scanned by the future victim, the code will then display a page concocted by the hacker and posing as iCloud. The goal is for the person to log in and enter their credentials.
On this video, we can see the manipulations that make it possible to exploit the AirTags flaw. It is still not sealed by Apple. © Bobby Rauch, YouTube
When Apple turns a deaf ear
Again, this is a, but any other malicious code can be injected the same way. Used in a very targeted way, this type of attack is ideal for unearthing the credentials of high-ranking people in a large corporation or government organization. It suffices to deposit the keys with an AirTag in a place where it will necessarily be found by the victim in order to be able to drag them unwittingly into the trap. A first step which can then open many other doors inside the of the organization.
The concern is that Bobby Rauch discovered this vulnerability in June. He also took care to informby giving the firm 90 days to react and publish a fix before publicly disclosing the flaw. However, Apple did not deign to plug the breach or announce the date of a possible update and even less specify if it would give a