This Apple “AirTag” Vulnerability could be harvesting your credentials

  • Home
  • Blog
  • This Apple “AirTag” Vulnerability could be harvesting your credentials
image
  • Posted On: October 20, 2021  

Executive Summary

During late September, the headlines were hit with the news of a vulnerability within Apple’s AirTag. Targeting good Samaritans and the curious by using Cross-Site Scripting (XSS), the vulnerability allows malicious actors to steal iCloud credentials and gain access to a victims account. We’re unaware if Apple has patched this vulnerability yet, and it seems like it swept underneath the rug on this occasion.

But, what even is an AirTag? If you’ve heard of a “Tile” before, then it’s essentially Apple’s version of that.

If not, it’s a geolocation tracking device that allows users to find their valuables, given that the device is attached or located with it. You could add it to your keyring or put it in your car, but using Apple’s “Find My” app within iOS and macOS devices, end-users can locate their devices wherever they are in the world for as little as £29.

You might be asking: “what happens if I lose an AirTag and can’t see it on the ‘Find My’ app?” Fortunately, you won’t be out of luck just yet. A feature called “Lost Mode” allows an AirTag to have a final swansong and when recovered. It retrieves information about the owner, allowing the finder to contact them and (hopefully) retrieve their lost belongings. The lost AirTag page allows its owner to insert any information to help the person who found the device and belongings return them to the rightful owner.

Sadly due to the world that we live in, malicious actors have discovered a way to inject arbitrary code into the mobile phone number section of the “Lost Mode” configuration page. Users are redirected to a spoofed phishing login page, which captures the credentials of the victim attempting to rehome the device with its owner.

So, how can you avoid falling victim? Normally upon scanning the lost AirTag, you’ll be met with a page like this:

A sample “Lost Mode” message. Image: Medium @bobbyrsec

In an ideal world, this page will provide you with all the information that you need to get in contact with the owner of the lost phone. If you see a page similar to the above, then proceed as usual.

However, at the time of writing this article, should you find that you are redirected to a page that looks like a login page, then you have not landed yourself in the right place. It is best to assume that the device you’ve found is a credential harvesting device and not a lost AirTag.

To find out more about our security solutions and E-learning courses to help you stay safe online, get in touch!



Would you like to talk to us and find out more about our services?

Please fill in the form below and one of the team will get in touch.

About Us

Established in 2013, Cyber Security Associates Limited (CSA) provides cyber consultancy and cyber managed services which help to detect, protect and educate against the ever-changing cyber threat. We have built our team from a foundation of Government (ex-Military) and Commercially experienced specialists all holding current and relevant cyber certifications. Today our core services are based around a 24/7 Security Operations Centre (SOC) based in Gloucester.

News & Resources

Quick Links

Contact Information

Phone: +44(0) 300 303 4691
Email: [email protected]
Address: Head Office, Unit 11, Wheatstone Court, Waterwells Business Park, GL2 2AQ
Sign up for our newsletter


cert

2024 Cyber Security Associates Ltd - All Rights Reserved | All Logos and Trademarks are © or ™ of there respective owners