Apple has some serious problems with their brand new tracking devices – AirTag. These useful at the first glance devices can be made a spreading point for malicious malware. A security consultant and penetration tester based in Boston Bob Rauch already notified the company but said it doesn’t seem like they are quick in their response. According to him, the weakness presented in the AirTag tracking device allows inserting in the message field text of any context. And it can present a good opportunity for hackers basically making the Apple tracking device a physical trojan horse.
Is that thing hackable?
The principle of work of the Air Tag is quite simple, you can put it to anything that can often be lost and never fear to lose it. If you lost something, you can set the thing into “Lost Mode” and a unique URL address will be created at https://found.apple.com where the owner of the lost item can write a message to a potential finder adding also a phone number to contact them. And that’s where the problem lies.The message pops up without the finder to log in or provide any personal information. In such a way, someone who may find this tracking device can be redirected by the person who intentionally lost their AirTag to a website that either will try to install malware onto their device, or to the fishing page.
“I can’t remember another instance where these sort of small consumer-grade tracking devices at a low cost like this could be weaponized,” the same Bob Rauch shared in an interview with KrebsonSecurity.1
He contacted Apple on June 20th about the bug he`d found. He also asked when they are going to fix it and whether he will get any credit. The responses were only that the company is still investigating, ignoring his questions.This went on for about three months and this month he received an email saying that the company plans to fix the bug in an upcoming update and also would he be so kind as to stay quiet until then? Rauch, not receiving any answers for his questions, decided to make his findings public before notifying the company that he will do so within 90 days. He did even though Apple states in their Apple Security Bounty that in order to qualify for Apple’s “bug bounty” program those who report on the new findings should keep their silence until the bug is fixed.
Apple is particularly known for their not so nice manners in handling bugs reporting and many researchers complain that Apple doesn’t always pay or give the researchers public recognition, they are slow with fixing reported bugs and respond in a short words or doesn’t respond at all. Many cyber security specialists point out that such negligence leads to researchers simply publishing their reports on the darknet where they can get much more money.