Apple AirTag is a small GPS tracker-like device that helps in finding items that are attached to it. Even if you don’t use an iPhone, you can scan a lost AirTag with your Android phone via NFC and return it to its rightful owner. But before you think of being a good samaritan, note that a new security flaw has been discovered that can effectively turn the Apple AirTag into a “Trojan”, as per a report by KrebsonSecurity. This means if you scan an unknown Apple AirTag that is put on ‘Lost Mode’ there’s a risk of your phone getting infected
Apple AirTags were launched just a few months back and it is already being weaponised. In fact, the AirTags could be a cheap and easy way to attack a smartphone of some innocent passerby who is just trying to help someone in finding a lost belonging.
Security researcher Bobby Rauch in a post on Medium explained that iCloud credentials may be hijacked if you happen to scan a lost AirTag that has been programmed.
When you scan a lost AirTag via NFC on your phone, you are directed to a unique “https://found.apple.com” page. This page provides information like serial number along with the owner’s phone number and a personal message.
Rauch explained that “an attacker can carry out Stored XSS on this https://found.apple.com page, by injecting a malicious payload into the Airtag “Lost Mode” phone number field.”
He further added, “A victim will believe they are being asked to sign into iCloud so they can get in contact with the owner of the Airtag, when in fact, the attacker has redirected them to a credential hijacking page. Other XSS exploits can be carried out as well like session token hijacking, clickjacking, and more. An attacker can create weaponized Airtags, and leave them around, victimizing innocent people who are simply trying to help a person find their lost Airtag.”
What’s worrying is that, he claimed that “there are countless ways an attacker could victimize an end user who discovers a lost Airtag.”
For those unaware, you need to have an iPhone to use the AirTag. This tracker doesn’t work with Android phones. Having said that, you can use an Android phone with NFC to alert the owner of the AirTag if you happen to find a lost AirTag.