Hackers can use AirTags to steal your Apple account — what you need to know

1. Domicile
2. News
3. Security

Hackers tin use AirTags to steal your Apple business relationship — what y'all need to know

(Epitome credit: Apple tree)

Apple's AirTags make it easy to phish people and steal their Apple accounts, a security researcher says.

Bobby Rauch, a Boston-area cybersecurity consultant, said in a web log mail today (Sept. 28) that Apple makes it too piece of cake to sneak malicious code into the online messages that AirTag owners can go out for anyone who finds their lost tracking discs.

• Iii unpatched iOS 15 security flaws put online — what you need to know
• The best Mac antivirus software
• Plus: Amazon Astro: iii reasons to buy and three reasons to skip

"I tin can't retrieve another instance where these sort of minor consumer-grade tracking devices at a low toll like this could exist weaponized," Rauch told contained security reporter Brian Krebs, who first reported this story.

Tom's Guide has reached out to Apple for comment, and we volition update this story when we receive a reply.

How to avoid this kind of assail

To protect yourself from this sort of set on, be aware that you lot don't need to log into iCloud or your Apple tree account to report a found AirTag.

You should too enable 2-factor authentication to make logging into your Apple account difficult for an attacker who does not possess 1 of your Apple devices, even if that attacker has your Apple username and password.

If y'all think your Apple ID has been phished or otherwise stolen, change your Apple countersign right away.

Injection without detection

In a series of YouTube clips posted on Medium, Rauch showed how he could use off-the-shelf software to inject an invisible script into the telephone-number field that an AirTag owner fills in when reporting a lost AirTag to Apple tree.

An iPhone user who came across the lost AirTag would connect their iPhone to it wirelessly, which, in turn, would force the iPhone to open a page at found.apple.com specific to that lost device.

Normally, that Found page would contain information about contacting the lost AirTag's rightful owner. Simply in this example, the subconscious script would secretly redirect the victim's iPhone to a page that would expect similar a standard iCloud login page, but would really be a phishing page ready to steal the victim'due south Apple username and password.

"Since Airtags were recently released, about users would be unaware that accessing the https://found.apple.com folio doesn't require authentication at all," Rauch wrote on Medium. "The https://found.apple.com link can also be used every bit a phishing link, and shared via a desktop/laptop, without the need for a mobile device to scan the Airtag."

Easy to prepare, not and then easy to overlook

Rauch told Krebs that he told Apple about this vulnerability in June, but that Apple sat on it for three months while the company investigated. After the 3-calendar month marking passed — mostly regarded as long enough for a security researcher to wait before disclosing an unpatched flaw — Rauch reached out to Krebs.

Krebs contacted Apple for comment, soon after which Apple tree emailed Rauch and asked him not to discuss the vulnerability in public. Rauch obviously declined, telling Krebs he never got a timeline about when the bug would exist fixed, whether he'd be credited with finding it, or whether he'd get whatsoever kind of "bug bounty" at all.

Last calendar week, another security researcher, fed upward with waiting for Apple to patch the flaws he'd discovered, simply put exploits for those flaws online.

Rauch told Krebs that patching this issue involves but banning sure characters from the Institute page'due south entry fields.

"Information technology'due south a pretty easy thing to fix," Rauch said. "Having said that, I imagine they [Apple] probably want to also figure out how this was missed in the first place."

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the data-security infinite for more than than fifteen years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom'southward Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You tin can follow his rants on Twitter at @snd_wagenseil.

Source: https://www.tomsguide.com/news/apple-airtag-phishing-attack

Posted by: craigwitong.blogspot.com

Share this post