AirTags, Apple’s Bluetooth-powered item trackers, were designed with good intentions: They’re useful for attaching to important things like keys and luggage to help you find them if they get lost. However, said devices also apparently come with a small design flaw—one that could allow an unscrupulous individual to use them in a malicious manner.
Bobby Rauch, a penetration tester and security researcher, recently contacted cybersecurity blogger Brian Krebs about an exploit he had discovered that would allow the tracking devices to be used as a potential vector for credential hijacking and data theft. The attack, which takes advantage of the way Apple’s “Lost Mode” is set up, could target an unsuspecting good samaritan—somebody who finds an AirTag left in a public place and wants to return the item to its proper owner.
When they go missing, AirTags can be tracked remotely via Apple’s Find My app, but a person who finds a lost tag can also help return it to its owner. An AirTag can be scanned via an iPhone or Android device’s NFC reader, and if the AirTag has been placed in “Lost Mode,” it will automatically reveal to the finder any contact information that has been associated with the device. AirTag owners can set this up through Find My to include a phone number or email address and can also input a short message—probably something to the degree of, “Hey, this is mine, please return to XYZ.” When someone finds and scans the AirTag, they will automatically be prompted on their phone to visit a unique URL that displays the owner’s contact information and message. In essence, it’s a similar concept to dog tags, which usually come equipped with contact information for where to return a lost pooch.
However, while this is a well-intentioned feature, it nevertheless opens up the Good Samaritan to potential attack. That’s because there is currently nothing to stop an AirTag owner from injecting arbitrary code into the phone number field of the device’s URL. Such code could be used to send the AirTag finder to a phishing site or other malicious webpage designed to harvest credentials or steal their personal information, Rauch recently told Krebs. In theory, a malcontented creep could thus purchase AirTags for the specific purpose of converting them into malicious trojans, then leave them scattered around for an unsuspecting person to pick up.
Krebs aptly compares this to that classic ploy wherein a hacker will leave a nondescript flash drive lying around—usually in a company parking lot or some other public space. Eventually, some curious, ill-fated person will pick that USB drive up and plug it into their computer, thus silently releasing whatever malware is concealed within. Similarly, a bad actor could conspicuously leave AirTags lying around along with a “lost” item or two, and just wait for someone to pick it up and try to helpfully return it to its rightful owner.
Apple has apparently been slow to respond to this issue. Rauch, who discovered the exploit, told Krebs that he had reached out to the company in June and that they basically blew him off. For three months, Apple representatives merely told Rauch that they were “still investigating” his claims, but wouldn’t commit to publicly disclosing the issue or tell him whether he qualified for their bug bounty program. Finally, when Rauch reached out to Krebs last Friday, the company finally got back to him and said that they planned to fix the bug in an upcoming update. They also asked him not to publicize his findings.
However, Rauch has now done just that, penning his own blog that explains how the exploit works: “An attacker can create weaponized AirTags, and leave them around, victimizing innocent people who are simply trying to help a person find their lost AirTag,” he writes.
We reached out to Apple for comment on all of this. At the time of publication, they had not gotten back to us. We will update this story if they reply.