Apple’s latest security problems are both devastating and ridiculous. Last week we learned that the company had patched a macOS exploit in the laziest way possible, and now the company is facing a backlash for an amateur AirTags vulnerability that it has known about for months and never bothered to made to fix it.
AirTags don’t clean up “phone numbers”
AirTags are small trackers that can be attached to backpacks, purses, luggage and other valuables. If someone loses their AirTag-equipped bag, they can track their location through the Find My network, anonymously powered by iPhones and other Apple devices.
But mostly lost items are found by strangers. Because of this, AirTags have a “Lost Mode,” a setting that allows Good Samaritans to scan the tracker to see the phone number of its owner. Scanning is easy – you just touch the AirTag with your iPhone.
Unfortunately, a design flaw in AirTags could turn the trackers into cheap tools for drop attacks. As security researcher Bobby Rauch found out, Apple does not clean up the entry field for the phone number that AirTag owners fill in when setting up their trackers. You can enter anything in this input field, including malicious code.
And that’s a big problem. When you scan a lost AirTag, it passes the owner’s “phone number” to your iPhone. Your iPhone then embeds the “phone number” in a https://found.apple.com/ Website. So if a lost AirTag’s phone number field is full of malicious XSS codes, the Apple website will embed it with no questions asked.
This vulnerability makes targeted phishing attempts extremely easy. For example, a hacker can program a fake iCloud login box to appear when its “lost” AirTag is scanned. You could then place this AirTag near a victim’s car or front door to make sure it is discovered and scanned.
Hackers could also use this vulnerability to trigger browser-based zero-day exploits on an iPhone. These exploits could crash or block your iPhone, but to be fair, such an exploit wouldn’t really benefit a hacker (and there are much easier ways to deliver such exploits).
Apple has spent months sitting on its hands
Bobby Rauch, the researcher who discovered this vulnerability, reported it to Apple on June 20. The company informed Rauch for three months that it was investigating the issue and refused to tell him whether he would receive credit or a bounty for his discovery (these are standard rewards for following Apple’s bug bounty program ).
Apple asked Rauch not to “leak” the bug, but refused to work with him or provide a schedule for a patch. He warned the company to make the vulnerability public after 90 days, and eventually did so in a Medium blog post. However, Apple has not commented publicly on the issue, despite previously telling Rauch that it intends to fix the issue.
Technically, this should be a very simple solution. Apple doesn’t have to release an update for the iPhone or AirPods. it just has to do that https://found.apple.com/ Disinfect website incoming “phone numbers”. But I hope Apple takes the steps to completely fix this problem. The company keeps making silly mistakes and pushing half-hearted patches for things that should have been safe when started.
Not to mention Apple’s refusal to communicate with anyone trying to report issues through its official bug bounty program. If Apple is serious about security, it must address software vulnerabilities quickly and treat security professionals with respect. After all, many of these security professionals make Apple’s job for free.
Is it Safe to Scan AirTags?
This message shouldn’t stop you from scanning AirTags, but it should make you more vigilant. For example, if you are asked to sign in to iCloud or another account after scanning an AirTag, something is going on – Apple doesn’t ask for credentials when scanning a legitimate AirTag.
An AirTag left alone is also a red flag … so to speak. Since these trackers don’t have built-in keychain loops, they can fall out of pockets or escape cheap holsters. In most cases, a single AirTag is the result of carelessness.
However, nobody is forcing you to scan AirTags. If you find a lost item with an AirTag and you don’t want to scan it, you can take it to the Apple Store (or a police station, I think) and make it their problem. Just keep in mind that as long as you don’t enter credentials into the AirTags browser pop-up, there probably isn’t any harm in scanning it.
Source: Bobby Rauch on Krebs on Security, Ars Technica
This article was previously published on Source link