Wednesday, December 11, 2024
News

PSA: AirTag bug can enable a ‘Good Samaritan’ attack

In his latest Power On newsletter, Bloomberg’s Mark Gurman says Apple's AirTag is due for a revamp by mid-2025.

Apple’s US $30 AirTag tracking device has a feature that allows anyone who finds one of these tiny location beacons to scan it with a mobile phone and discover its owner’s phone number if the AirTag has been set to lost mode. However, KrebsonSecurity reports that this same feature can be abused to redirect the “Good Samaritan” to an iCloud phishing page — or to any other malicious website.

The vulnerability was discovered and reported to Apple by Bobby Rauch, a security consultant and penetration tester based in Boston. Rauch told KrebsOnSecurity the AirTag weakness makes the devices cheap and possibly very effective physical trojan horses.

Rauch said he realizes the AirTag bug he found probably isn’t the most pressing security or privacy issue Apple is grappling with at the moment. However, he said neither is it difficult to fix this particular flaw, which requires additional restrictions on data that AirTag users can enter into the Lost Mode’s phone number settings.

“It’s a pretty easy thing to fix,” he said. “Having said that, I imagine they probably want to also figure out how this was missed in the first place.”

KrebsOnSecurity says Apple hasn’t responded to requests for a comment.

Dennis Sellers
the authorDennis Sellers
Dennis Sellers is the editor/publisher of Apple World Today. He’s been an “Apple journalist” since 1995 (starting with the first big Apple news site, MacCentral). He loves to read, run, play sports, and watch movies.