AirTags can be used for phishing (but don’t panic)

Apple AirTags can be used as a digital Trojan horse to steal personal information. But the danger represented by this attack should be largely put into perspective, given the hypothetical situations which are very, very precise.

AirTags, these small connected beacons from Apple supposed to help you find your keys, can also be used to infect your phone. In an article published on September 28, 2021, cybersecurity specialist Brian Krebs discusses how Apple’s gadgets can facilitate phishing and theft of personal data. But it is important to qualify the risks that such an attack will materialize in “real life”.

How does an AirTag attack work?

When an AirTag is declared “lost”, it generates a unique URL pointing to a web page with the information necessary to contact its owner. The idea being that if a well-meaning person finds the gadget, they can return it to its owner.

The alert message displayed on a lost AirTag // Source: Louise Audry for Numerama

Unfortunately, nothing prevents a somewhat seasoned hacker from injecting, in theory, malicious code into the contact field of this web page. For example, when a well-meaning person tries to scan the AirTag to return it to his or her owner, they could be redirected to a fake iCloud site that will try to steal their password. In short, it would be a vulgar phishing attempt that would use the AirTag as an infection vector.

It would also be possible to point to a page that will attempt to install malware on the phone, for example.

Technically, no personal information is requested when scanning a lost AirTag. Contact information is supposed to be displayed immediately. As Brian Krebs explains, however, a person who finds an AirTag is not necessarily aware of how the beacon works. By wanting to do well, it would expose itself to a risk of data theft. This is why this phishing method has been dubbed ” attack of the good samaritan “.

Who is targeted by the attack?

If the operation of the attack is rather simple, it is still important to put its scope into perspective. Infecting a phone or stealing personal information via an AirTag first requires … buying an AirTag. At 30 euros a beacon, it is very expensive for a gadget, which can infect (very probably) a single phone.

Suffice to say that hackers using this method will not flood the streets of a city with infected AirTags in an attempt to carry out large-scale data theft (or else it would be very expensive). This attack vector is much more likely to be used in very specific cases.

One can imagine, for example, that an ill-intentioned individual leaves an AirTag lying around in the daily path of a particularly important target (a politician, a CEO of a large company), so that it can be found and scanned. As long as the phone contains juicy information that can be stolen, the attack could be profitable.

If this scenario reminds you of a James Bond movie, you are not far from it », Explains Brian Krebs. However, such an attack would not be completely new, recalls the specialist. In the Stuxnet affair, named after the computer virus that spread on the machines of the Iranian nuclear fleet, it is most likely a USB key left carelessly in a parking lot, and used by a government employee, which facilitated the process. ‘attack. In 2008, another infected USB flash drive was the source of an attack on the US defense services.

You are probably not concerned

The means required to carry out such an attack are such that it is unlikely that you will find yourself a victim of this scam. Anyway, to avoid disappointment, be careful or careful with the AirTags that you find on the street. If while scanning your phone displays a shady page asking for personal information, look no further.

Contacted in June 2021, Apple promised to fix the problem in a future update. Unfortunately, the company did not say when this update would arrive, prompting Bobby Rauch (the one who discovered the flaw) to speak publicly about the bug in order to alert the public.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *