Security researcher Bobby Rauch discovered a vulnerability in Apple AirTag search beacons that allows trackers to be used to steal personal information, including iCloud usernames and passwords. The problem lies in the Lost Mode, into which the mark is transferred in case of its loss.
Apple allows its Find My service to locate and track devices. This creates a unique page containing the AirTag serial number, phone number or email, as well as a message from the owner of the lost tag. When someone finds someone else’s tag, they can scan it with their device and go to the specified URL with information about the owner of the AirTag.
However, an attacker could enter arbitrary code in the phone number field. The victim will believe that she is being asked to log into iCloud in order to contact the owner of AirTag, but in fact he was redirected to a phishing page to steal credentials. In this case, other exploits can be implemented as well. The security researcher believes that attackers can acquire tags in order to create physical Trojans. Thus, they will “hook” victims who just want to help the person find the AirTag.
The researcher notified Apple about the vulnerability three months ago, but during this time the company “studied” the problem. It was only after he contacted renowned cybersecurity expert Brian Krebs that Apple promised to fix it in the next software update.