AirTags are Apple’s version of Tile trackers — they’re small circular gadgets with Find My Network support. When a user enables Lost Mode on an AirTag, it generates a unique URL that directs whoever finds and scans it to https://found.apple.com to view the owner’s contact details. However, a recently discovered security flaw makes scanning random AirTags potentially dangerous.
A report on KrebsOnSecurity details (via MacRumors) that Lost Mode doesn’t prevent users from injecting arbitrary code into the contact details field. In theory, people can exploit this vulnerability and set up AirTags to redirect unsuspecting users to phishing or other malicious websites. Due to this, an average user trying to do the right thing by attempting to reach the owner of a lost AirTag can fall victim to the scam.
This vulnerability was first discovered by Bobby Rauch, a Boston-based Security Consultant. Rauch reported it to Apple back in June, and the investigation lasted for three months. Last Thursday, Apple got back to him and mentioned that it’d be patching this security flaw in a future update.
I can’t remember another instance where these sort of small consumer-grade tracking devices at a low cost like this could be weaponized. It’s a pretty easy thing to fix. Having said that, I imagine they probably want to also figure out how this was missed in the first place.
Bobby had informed Apple that he’d be sharing the details of this vulnerability with the public within 90 days of his notification. While Apple told him that they would appreciate it if he didn’t leak it, he ended up sticking to his word by sharing his findings three months later.
Do you use any AirTags to track your items? If you find a lost AirTag, would you scan it? Let us know in the comments section below.