Last Updated on September 29, 2021 by Calvin C.
Last time, I highlighted the drawbacks of AirTags as they can be used to track an unsuspecting individual. It seems there is even more to worry about because hackers can use AirTags to steal your account.
The worst part is that this cyberattack takes place when you find a lost AirTag and try to contact the owner.
Normally, when an AirTag is lost, an alert is sent to Apple and the user is able to enter a message and contact number on a page with a unique URL.
The person who finds the AirTag scans the device with an Apple or Android device and this opens the unique URL with the owner’s message.
A pop up message appears instructing the Good Samaritan to call the owner of the AirTag using the displayed number.
However, cybercriminals have figured out a way to insert a malicious URL in the same field with contact details.
This URL directs the unsuspecting Good Samaritan to a fake iCloud login page.
Once the user enters credentials on this page, attackers take control of the respective account. In addition, since most people reuse passwords, these credentials are used to hack other accounts as well.
This vulnerability makes AirTags a highly effective Trojan horse, spreading all sorts of dangerous malware.
It seems Apple is dragging its feet and at the time of publishing this post, the company reportedly said it’s addressing the issue in the next update.
Bobby Rauch is the one who discovered and reported to Apple about the vulnerability.
In a statement to Krebs, Rauch said,”I can’t remember another instance where these sort of small consumer-grade tracking devices at a low cost like this could be weaponized.”
As for the report he made to Apple, Rauch further highlighted the following:
“I told them, ‘I’m willing to work with you if you can provide some details of when you plan on remediating this, and whether there would be any recognition or bug bounty payout’,” Rauch said, noting that he told Apple he planned to publish his findings within 90 days of notifying them. “Their response was basically, ‘We’d appreciate it if you didn’t leak this”
More to follow in the next update
One way to stop an attacker from acessing your account is to enable 2FA, which adds an extra layer of security.
If you missed the list of privacy upgrades you get in iOS 15, make sure yo read the article linked.
Do you use AirTags? Share the article with your friends and leave comments below.