Weakness of the air tag ‘Lost Mode’ can send users to harmful websites.
The AirTag feature, which allows anyone with a smartphone to scan for missing AirTags to track the owner’s contact information, could be compromised by phishing scams.
When the air tag is set to lost mode, it generates a URL for https://found.apple.com and allows the air tag owner to enter a contact phone number or email address. Anyone who scans this airtag is then automatically sent to the URL with the owner’s contact information, which does not require login or personal information to view the provided contact details. Is.
According to KrebsOnSecurity, Lost Mode does not prevent users from entering arbitrary computer codes into the phone number field, so anyone who scans the AirTag can be redirected to a fake iCloud login page or another malicious site. Anyone who does not know that no personal information is required to view AirTag information may then be required to provide their CliCloud login or other personal details, or redirect malicious software May try to download software.
Airtag malfunction was discovered by security consultant Bobby Raunch, who told Curbs on Security that the weakness makes airtags dangerous. “I don’t remember another example where small consumer-level tracking devices could be used as a weapon at such a low cost,” he said.
Roach contacted Apple on June 20, and Apple took several months to investigate. Apple told Raouch last Thursday that it would address the weakness in the upcoming update, and asked him not to talk about it publicly.
Apple did not answer questions about whether it would receive credit or qualify for the Big Bounty program, so it decided to share details about the threat due to Apple’s lack of communication.
“I told them, ‘I’m willing to work with you if you can provide some details when you plan to fix it, and whether there’s an identification or a Big Bounty payment.’ Intends to publish its results within 90 days of being notified. “His response was basically, ‘If you don’t leak it, we’ll appreciate it.’ ‘
Last week, after failing to ignore Apple’s reports and resolve issues for months, security researcher Dennis Tokrio publicized several Zero Day iOS threats. Apple has since apologized, but the company has been criticized for its Big Bounty program and the slowness with which it responds to reports.