Security flaw found in Apple AirTag could allow drop attacks until bug is fixed

Apple’s AirTags have been found to be exploitable due to a failure to sanitise user-input fields. A bug report for Apple’s bug bounty program revealed that the oversight can lead to hackers uploading their own malicious websites to an AirTag while it is in ‘lost mode’. 

AirTags are small button-shaped devices that you can attach to your belongings, luggage for example, and can be used to track these belongings if they go missing. If somebody finds an AirTag in the wild, they can use an NFC scan on their phone to find a phone number attached to the AirTag. 

A security flaw in AirTag’s phone number user-input field can allow hackers to inject their own malicious websites onto an AirTag. This means that an AirTag could hypothetically be set up to drop-attack someone if they find and NFC scan a seemingly lost AirTag. 

This style of drop-attack is likely to be a more effective social manipulation tool than traditional drop-attacks. If someone finds a discarded USB drive lying around the only thing driving them to plug it into a computer is curiosity. This exploit could be dangerous, as it exploits one of the main intended functions of AirTags, and could prey on a Good Samaritan just trying to help someone find their lost belongings. 

The attack is fairly easy to recreate, and does not require much actual coding knowledge to perform. An attacker must simply intercept the request sent when an AirTag is put into lost mode, and inject a malicious site into the request using a basic XSS (Cross Site Scripting) script. 

Bug Bounty 

The exploit was found by security consultant Bobby Rauch on Medium. Rauch provided an example of what he believes to be the most likely use for this exploit: linking people to fake Apple ID login pages which could steal the finder’s login data. He explains: “A victim will believe they are being asked to sign into iCloud so they can get in contact with the owner of the Airtag, when in fact, the attacker has redirected them to a credential hijacking page.” 

Rauch submitted the bug report on Apple’s bug bounty program on June 20, but said he had not received any indication as to when the bug would be fixed, or if it would qualify for a bug bounty reward. 

Apple’s Bug Bounty Shortcomings 

Speaking with Krebs on Security, Rauch said that he had reported a number of bugs over the years, but that the company has consistently maintained a lack of communication. Rauch’s discontent with Apple’s bug bounty program follows a trend of other bug reporters airing their frustrations with the outlet. 

In an article posted by Washington Post early September, a number of security consultants and bug-hunters aired their concerns with how Apple treats its bug bounty submitters. They give the example of iOS software developer Tian Zhang, who went public with a bug notification after reportedly hearing nothing from Apple for months. The next time Zhang submitted a bug report, Apple fixed the flaw but did not provide a reward. 

Last week, a security researcher going by the name illusionofchaos shared information of their experience with Apple’s bug bounty program on Habr.com. They wrote that Apple failed to disclose the flaw that was brought up, despite fixing the problem in an iOS update.