Apple’s latest security issues are both devastating and laughable. Last week, we learned that the company patched a macOS exploit in the laziest way possible, and now, the company is facing backlash for an amateurish AirTags vulnerability that it’s known about for months and never bothered to fix.
AirTags Don’t Sanitize “Phone Numbers”
AirTags are small trackers that attach to backpacks, purses, luggage, and other valuables. If someone loses their AirTag-equipped bag, they can track its location using the Find My network, which is anonymously powered by iPhones and other Apple devices.
But more often than not, lost articles are found by strangers. That’s why AirTags have a “lost mode,” a setting that lets Good Samaritans scan the tracker to see its owner’s phone number. Scanning is easy—you just touch the AirTag with your iPhone.
Unfortunately, a design flaw in AirTags could turn the trackers into cheap tools for drop attacks. As discovered by security researcher Bobby Rauch, Apple doesn’t sanitize the phone number entry field that AirTag owners fill out when setting up their trackers. You can stick anything in this entry field, including malicious code.
And that’s a big problem. When you scan a lost AirTag, it gives its owner’s “phone number” to your iPhone. Your iPhone then embeds the “phone number” in a https://found.apple.com/ webpage. So if a lost AirTag’s phone number field is full of malicious XSS code, the Apple website will embed it, no questions asked.
This vulnerability makes targeted phishing attempts extremely easy. A hacker can program a fake iCloud login box to show up when their “lost” AirTag is scanned, for example. They could then plant this AirTag near a victim’s car or front door to ensure that it’s discovered and scanned.
Hackers could also use this vulnerability to trigger browser-based zero-day exploits on an iPhone. These exploits could crash or brick your iPhone, but to be fair, such an exploit wouldn’t really benefit a hacker (and there are much easier ways to deliver such exploits).
Apple’s Spent Months Sitting On Its Hands
Bobby Rauch, the researcher who discovered this vulnerability, reported it to Apple on June 20th. The company spent three months telling Rauch that it was investigating the issue, and refused to tell him if he would receive credit or a bounty for his discovery (these are standard rewards for following Apple’s bug bounty program).
Apple asked Rauch not to “leak” the bug, but refused to work with him or provide a timeline for a patch. He warned the company that he’d take the vulnerability public after 90 days, and finally did so in a Medium blog post. Still, Apple has not commented on the issue publicly, though it previously told Rauch that it intends to fix the problem.
Technically speaking, this should be a very easy fix. Apple doesn’t need to push an update for the iPhone or AirPods; it just needs to make the https://found.apple.com/ webpage sanitize incoming “phone numbers.” But I hope that Apple takes the steps to completely resolve this problem. The company keeps making stupid mistakes and pushing half-assed patches for things that should have been secure at launch.
Not to mention, Apple refuses to communicate with people who try to report issues through its official bug bounty program. If Apple’s serious about security, it needs to tackle software vulnerabilities quickly and start treating security experts with respect. After all, a lot of these security experts are doing Apple’s work for free.
Is It Safe to Scan AirTags?
This news shouldn’t discourage you from scanning AirTags, though it should make you more vigilant. If you’re asked to sign in to iCloud or another account after scanning an AirTag, for example, then something’s up—Apple doesn’t ask for any login information when a legitimate AirTag is scanned.
An AirTag that’s left by itself is also a red flag … sort of. Because these trackers don’t have built-in keychain loops, they can tumble out of bags or escape from cheap holsters. In most cases, a lone AirTag is the result of carelessness.
Anyway, nobody’s forcing you to scan AirTags. If you find a lost item with an AirTag and aren’t comfortable scanning it, you can take it to the Apple Store (or a police station, I guess) and make it their problem. Just know that there’s probably no harm in scanning it, so long as you don’t type any login information in the AirTags browser popup.
Source: Bobby Rauch via Krebs on Security, Ars Technica