Posted On 26 Oct 2021

Apple AirTags have been an amazing new development, but they can cause serious problems. AirTags are compact battery-powered devices you stick to your belongings to locate them when they are misplaced. AirTags offer much more than localized Bluetooth tracking with limited range. Apple’s Find My network powers hundreds of millions of iPhones, iPads, and MacBooks to relay information, so a Good Samaritan (GS) can locate an AirTag owner anywhere in the world, as long as there’s an active Apple device nearby. With a simple scan, a GS is directed to a site that provides information like a phone number for contact.

The problem is this functionality can be very easily abused. Slip an AirTag into someone’s coat pocket and you can track them. Even more concerning, cross-site scripting code planted in the phone number field might redirect a GS trying to locate the owner to a fake iCloud login page or trick them into downloading a malicious app. An attacker can even weaponize the device to capture credentials and steal the identity of the GS.

Apple has so far ignored reports of this security vulnerability. And Apple has failed to prevent the planting of a malicious script in the phone number field by the AirTag’s owner. In fact, other XSS exploits can be carried out like session token hijacking and clickjacking. An attacker can even create AirTags and leave them around for innocent people to pick up. Then the Good Samaritan can find herself with a stolen identity when she was simply trying to help someone find their lost AirTag.

Apple knew about this flaw for three months before confirming they planned to resolve the vulnerability. So far there has been no update. Until Apple patches this flaw, and makes AirTags bulletproof, exercise caution when using AirTags or scanning them.