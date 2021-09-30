When an AirTag is found, it is possible to scan it for contact information of its owner. However, according to a cybersecurity expert, a malicious link may have been slipped into the contact telephone number, in fact creating a significant vulnerability.

Will we have to be wary of a lost AirTag in the future? This is what a blog post seems to indicate Krebs on Security, founded by a former journalist from Washington post. The latter interviewed a cybersecurity expert, Bobby Rauch, who explains that he pointed out a significant vulnerability of AirTags to Apple.

The idea is simple, and is based on very basic principles of human behavior, as is often the case in cybersecurity. The site refers to this vulnerability as an attack on ” good Samaritan “.

How it works

When an AirTag goes into lost mode, its user can generate a URL link to Apple and add a personal message as well as its number. The idea being that if a person scans the lost device with an Android or Apple smartphone, they can get in touch with its owner.

The problem is that inside the field dedicated to the phone number, it would be possible to inject a code that allows the person who found the AirTag to be sent to a fake login page, taking the appearance of an Apple iCloud page. You can also imagine a link to a site that installs malicious software.

The very purpose of AirTags being to be found, this vulnerability therefore affects an essential function of the device.

For those who have seen season 1 of Mr. Robot, this is reminiscent of the technique used by the characters in the series when they drop USB keys in front of a building they want to hack. In the series, a person only needs to enter the key into their computer to launch a malicious program.

There, with these potentially trapped AirTags, it would suffice for a targeted person to scan a lost Bluetooth tracker to be potentially in danger of giving out their Apple IDs or even seeing their infected device.





What precautions should be taken?

Bobby Rauch, the security expert who discovered this flaw, claims to have contacted Apple on June 20 about it. He only received news last Thursday, in the form of an email. Apple explained to provide a solution to this weakness in an upcoming update, without further clarification. The firm at the apple would have also asked the expert not to speak publicly about this problem.

If he has decided to mention it publicly, it is because he considers himself cheated. He explains :“I told them, ‘I’m ready to work with you if you can provide details on when you plan to fix this issue, and whether there will be any recognition or payment.’ “Without a response from the Cupertino company on these various subjects, the expert took the lead.

While waiting for Apple to fix this major flaw in their Bluetooth tracker, we can only advise you to be careful of what your screen displays if you have to scan a lost AirTag in the days to come. If you are asked for personal information, such as your password to iCloud, do not deliver it. If a link to a site opens automatically by clicking on the number, verify that no downloads have started.