A design flaw has been identified in the Apple AirTag tracker used to keep track of dogs, luggage, surfboards, handbags and various items you want to track.
AirTags make it super easy to know where you stuff is by using the built-in Find My app on an iPhone or other Apple device. I have them on two surfboard bags, our dogs’ collars, my wallet, backpack, medication bag and a bike. AirTags work amazing well with a replaceable battery that last up to a year.
Researcher Bobby Rauch is first to report the trouble that could turn a simple $29 AirTag into a drop attack tool. What that means is that someone with criminal intentions could easily add malicious code into part of the AirTag.
How a potential AirTag Lost Mode Attack would work
One great feature of the Apple AirTag is that someone who finds a lost AirTag can simply bring their phone near the AirTag during Lost Mode to get the owner’s phone number in hopes of reuniting the lost item. Instead of the owner’s phone number being fed into your phone by Apple, malicious code could instead be placed on your phone in seconds.
For example, a hacker could plant an AirTag near your car or in your front yard knowing most people are good samaritans and will scan it to help reunite with the owner. Instead, the malicious XSS code could brick your phone making it unusable or attempt other scams.
The researcher says he’s reported the vulnerability to Apple through their bug bounty program back in June but has not been able to get a response beyond that it’s investigating the issue.
The fix seems to be easily made at the site https://found.apple.com/ page by restricting code in the phone number field – no brainer, right?
Are AirTags Safe?
The short answer is yes. The chances of a hacker targeting you would seem to be remote at best. It shouldn’t stop a good person from scanning an AirTag you happen upon. Just be cautious and if you are concerned about scanning the AirTag, you can always take it to an Apple Store.
Do this if you get notification saying ‘AirTag Found Moving with You’