AirTag 'Lost Mode' Vulnerability Can Redirect Users to Malicious Websites

The AirTag feature that allows anyone with a smartphone to scan a lost AirTag to locate the contact information of the owner can be abused for phishing scams, according to a new report shared by KrebsOnSecurity.

f1618938547
When an AirTag is set in Lost Mode, it generates a URL for https://found.apple.com and it lets the AirTag owner enter a contact phone number or email address. Anyone who scans that AirTag is then directed automatically to the URL with the owner's contact information, with no login or personal information required to view the provided contact details.

According to KrebsOnSecurity, Lost Mode does not prevent users from injecting arbitrary computer code into the phone number field, so a person who scans an AirTag can be redirected to a phony iCloud login page or another malicious site. Someone who does not know that no personal information is required to view an AirTag's information could then be tricked into providing their ‌iCloud‌ login or other personal details, or the redirect could attempt to download malicious software.

The AirTag flaw was found by security consultant Bobby Raunch, who told KrebsOnSecurity that the vulnerability makes AirTags dangerous. "I can't remember another instance where these sort of small consumer-grade tracking devices at a low-cost like this could be weaponized," he said.

Rauch contacted Apple on June 20, and Apple took several months to investigate. Apple told Rauch last Thursday that it would address the weakness in an upcoming update, and asked him not to talk about it in public.

Apple did not answer his questions about whether he would receive credit or whether he qualified for the bug bounty program, so he decided to share details on the vulnerability because of Apple's lack of communication.

"I told them, 'I'm willing to work with you if you can provide some details of when you plan on remediating this, and whether there would be any recognition or bug bounty payout'," Rauch said, noting that he told Apple he planned to publish his findings within 90 days of notifying them. "Their response was basically, 'We'd appreciate it if you didn't leak this.'"

Last week, security researcher Denis Tokarev made several zero-day iOS vulnerabilities public after Apple ignored his reports and failed to fix the issues for several months. Apple has since apologized, but the company is continuing to receive criticism for its bug bounty program and the slowness with which it responds to reports.

Related Forum: AirTags

Top Rated Comments

btrach144 Avatar
4 weeks ago
Why is apple so lazy and incompetent when dealing with security researchers?
Score: 45 Votes (Like | Disagree)
funandblindness Avatar
4 weeks ago

Why is apple so lazy and incompetent when dealing with security researchers?
Arrogance
Score: 32 Votes (Like | Disagree)
Naraxus Avatar
4 weeks ago
Rofl. And Apple has the chutzpah to claim they care about & protect user privacy
Score: 26 Votes (Like | Disagree)
Altivec88 Avatar
4 weeks ago
Its just sad what Apple has become. Here you have people finding vulnerabilities that the staff you pay didn't find. It's essentially like having other people on your payroll that you only have to pay if they find something. Instead they treat them like crap, ignoring simple credit, trying to hush them, or worse yet just ignoring the vulnerability. Its not like paying them would even be a blip in the billions/quarterly profit they make. Instead of encouraging people to report these thing to them, they push them away to potentially sell it to the bad guys. Hopefully it's worth the bad PR, unknown security holes, and the continued erosion of their "privacy" marketing BS.
Score: 25 Votes (Like | Disagree)
SpaceN64 Avatar
4 weeks ago
Well that sounds bad
Score: 15 Votes (Like | Disagree)
red elma Avatar
4 weeks ago
Vulnerability chances are greater in logging into this forum than an AirTag in 'Lost Mode'
Score: 15 Votes (Like | Disagree)

Related Stories

f1618938547

Police Find Unexpected Use for Apple AirTags

Monday July 19, 2021 3:15 am PDT by
The utility of Apple's AirTag item trackers have started to be seen in law enforcement when locating stolen property, according to recent reports. As reported by GadgetLite, an AirTag user in Boston was able to recover their stolen property with the help of the police and Apple's small tracking device. Earlier this month, the user discovered that his bike had been stolen. Thankfully, he...
airtag 1

AirTag Anti-Stalking Measures 'Just Aren't Sufficient' Says Washington Post Report

Wednesday May 5, 2021 6:03 pm PDT by
The safeguards that Apple built into AirTags to prevent them from being used to track someone "just aren't sufficient," The Washington Post's Geoffrey Fowler said today in a report investigating how AirTags can be used for covert stalking. Fowler planted an AirTag on himself and teamed up with a colleague to be pretend stalked, and he came to the conclusion that the AirTags are a "new means...
airtag in hand

Apple Enhancing AirTags Anti-Stalking Measures With Android App and Shorter Sound Intervals

Thursday June 3, 2021 11:10 am PDT by
Apple is enhancing AirTags security to prevent stalking using the Bluetooth devices, Apple told CNET today. Apple is already sending out over-the-air updates to AirTags that will shorten the amount of time before an unknown AirTag alerts you if it is in your possession. At the current time, AirTags play a sound after three days of being away from their owner. After the update, AirTags will...
airtag notification

Lost AirTags Can Be Read By NFC-Enabled iPhones and Android Devices

Wednesday April 21, 2021 12:43 am PDT by
Apple's AirTag tracking devices can be identified by Android phones when they're in Lost Mode, according to a new support document published by Apple. Announced on Tuesday, Apple's new AirTag item trackers let you easily track things like your keys, wallet, purse, backpack, luggage, and more. They work using an ultra-wideband U1 chip to keep in touch with the Find My network. However,...
maxresdefault

Hands-On With Apple's New AirTags

Friday April 30, 2021 2:41 pm PDT by
After years of waiting for the AirTags to debut, launch day is finally upon us and AirTags are now in the hands of customers. We got our AirTags in the mail today and thought we'd share a hands-on look for those who are still waiting for their orders or debating whether AirTags might be useful. Subscribe to the MacRumors YouTube channel for more videos. As you probably know by now, AirTags...
f1618938547

Apple Executive Says AirTags Designed to Track Items, Not Children or Pets

Thursday April 22, 2021 6:42 am PDT by
Following the announcement of AirTags this week, Apple's VP of worldwide iPhone product marketing, Kaiann Drance, and Apple's senior director of sensing and connectivity, Ron Huang, spoke with Fast Company about the Tile-like tracker and its design and privacy. Speaking about the design of AirTag, Drance says Apple wanted to create a simple yet unique design for the tracker, keeping in mind...
AitTag New Firmware

Apple Makes Latest AirTags Firmware Available to All Users

Wednesday September 15, 2021 9:56 am PDT by
Apple this week continued distributing new firmware for the AirTags that first rolled out in August. There have been several minor releases with different build numbers, and behind the scenes, those tweaks were to meter the number of people who were seeing the AirTag update at one time. The last version, for example, with a build number of 1A291e changed nothing other than the rate limit on...
f1618938547

Apple Announces AirTag Tracking Devices Starting At $29 Each

Tuesday April 20, 2021 10:10 am PDT by
Apple today announced AirTag, a Tile-like Bluetooth tracking device that's designed to be attached to items like keys and wallets for tracking purposes, letting you find them right in the Find My app. AirTags are accessories for attaching to backpacks, luggage, and other items. Any U1 device like the iPhone 12 can be used for precision finding to guide you right to the item you're looking...
airtag hermes

AirTag Hermès Currently Unavailable From Apple

Monday May 24, 2021 6:26 am PDT by
As reported by 9to5Mac, AirTag Hermès is currently unavailable for purchase from Apple or directly from the Hermès website. The reasoning behind the unavailability remains unknown. Apple's AirTags Hermès line features three separate styles, an AirTag with a Hermès keyring, bag charm, and luggage tag. All styles feature the standard AirTag with a removable backplate but engraved with...
AitTag New Firmware

Apple Releases Revised Version of Latest AirTags Firmware Update

Tuesday August 31, 2021 11:15 am PDT by
Apple today released a revised version of the AirTags firmware that was first provided to AirTags owners last week. The new internal build number is 1A291c, up from 1A291a. We don't know what's included in the new firmware and no new features were found following the first release, so it likely focuses on bug fixes and other under-the-hood improvements. There is no way to force an AirTag...