Apple AirTag Attack

In April of 2021, Apple unveiled the AirTag, a tracking device that can be put on nearly anything so users don’t lose their valuables. Users frequently use these on their Keys, Cars, Pet Collar, or their kid’s favorite toy, and can easily find them in their ‘Find My’ app on their iPhone. This gadget can allow anyone who finds one of these location beacons to scan it with a cellphone and discover its owner’s phone number if the AirTag has been set to ‘Lost Mode’. Recently, cybersecurity experts found that the helpful feature can be used against you. 

How Does It Work?

According to the research, this feature allowing those to help locate the owner of the AirTag can be abused to redirect the Good Samaritan to an iCloud phishing page, or other malicious websites.

The AirTag’s ‘Lost Mode’ lets users alert Apple when an AirTag is missing. Setting it to Lost Mode generates a unique URL at https://found.apple.com, and allows the user to enter a personal message and contact phone number. Anyone who finds the AirTag and scans it with an Apple or Android phone will immediately see that unique Apple URL with the owner’s message. The information pops up without asking the finder to log in or provide any personal information. But your average person may not be aware of this. 

The problem with the current state of Apple’s Lost Mode is that it doesn’t stop users from injecting malicious code into its phone number field, which can cause the ‘Good Samaritan’s’ device to visit a phishing Apple iCloud login page.

What Can We Do?

If you’re using AirTags currently to keep track of your belongings, there shouldn’t be any risks associated with that. If you see one of these AirTags lying around in public, it may be best to simply leave it be – just like you would if you saw a thumb drive on the ground, right? 

It’s best to treat these AirTags as potential threats (if found in public) until Apple fixes this issue perhaps by removing customizable messaging. It may not be a bad idea to hand it over to the proper authorities (police, event staff, etc) if you must be a Good Samaritan. If you scan an AirTag and the landing page asks for credentials or seems off, just close your browser and know that ‘you tried’ to help.

Other Cybersecurity Best Practices from CyberHoot

In addition to being careful while scanning an AirTag, it’s important to remember there are other ways to improve your cybersecurity hygiene. CyberHoot recommends the following best practices to protect individuals and businesses against, and limit damages from, online cyber attacks:

Scroll down to schedule a CyberHoot Demo today.

Find out how CyberHoot can secure your business.

Share this on your social networks. Help Friends, Family, and Colleagues become more aware and secure.