Hackers can use AirTags to steal your Apple account — what you need to know

1. Home
2. News
3. Security

Hackers can utilise AirTags to steal your Apple account — what you demand to know

(Epitome credit: Apple)

Apple'southward AirTags make it easy to phish people and steal their Apple tree accounts, a security researcher says.

Bobby Rauch, a Boston-surface area cybersecurity consultant, said in a weblog post today (Sept. 28) that Apple makes information technology too like shooting fish in a barrel to sneak malicious lawmaking into the online messages that AirTag owners can go out for anyone who finds their lost tracking discs.

• Three unpatched iOS 15 security flaws put online — what you need to know
• The all-time Mac antivirus software
• Plus: Amazon Astro: iii reasons to buy and three reasons to skip

"I tin can't remember another instance where these sort of pocket-size consumer-grade tracking devices at a low price like this could be weaponized," Rauch told independent security reporter Brian Krebs, who first reported this story.

Tom'south Guide has reached out to Apple tree for annotate, and nosotros will update this story when we receive a answer.

How to avoid this kind of assault

To protect yourself from this sort of attack, be aware that yous don't demand to log into iCloud or your Apple account to report a found AirTag.

You lot should too enable two-gene hallmark to brand logging into your Apple account difficult for an attacker who does not possess one of your Apple devices, fifty-fifty if that attacker has your Apple username and password.

If you lot remember your Apple tree ID has been phished or otherwise stolen, alter your Apple countersign right away.

Injection without detection

In a series of YouTube clips posted on Medium, Rauch showed how he could employ off-the-shelf software to inject an invisible script into the phone-number field that an AirTag possessor fills in when reporting a lost AirTag to Apple.

An iPhone user who came across the lost AirTag would connect their iPhone to it wirelessly, which, in plough, would force the iPhone to open up a page at found.apple.com specific to that lost device.

Normally, that Institute page would contain information about contacting the lost AirTag's rightful owner. But in this case, the hidden script would secretly redirect the victim's iPhone to a page that would look like a standard iCloud login page, merely would really be a phishing page ready to steal the victim'southward Apple username and countersign.

"Since Airtags were recently released, most users would be unaware that accessing the https://found.apple.com page doesn't require hallmark at all," Rauch wrote on Medium. "The https://found.apple tree.com link tin also exist used as a phishing link, and shared via a desktop/laptop, without the need for a mobile device to browse the Airtag."

Like shooting fish in a barrel to ready, not so easy to overlook

Rauch told Krebs that he told Apple near this vulnerability in June, but that Apple sat on it for iii months while the company investigated. Afterwards the three-month marker passed — by and large regarded as long plenty for a security researcher to await before disclosing an unpatched flaw — Rauch reached out to Krebs.

Krebs contacted Apple for comment, soon afterwards which Apple emailed Rauch and asked him not to discuss the vulnerability in public. Rauch evidently declined, telling Krebs he never got a timeline about when the bug would exist fixed, whether he'd be credited with finding it, or whether he'd get whatever kind of "issues bounty" at all.

Last week, another security researcher, fed up with waiting for Apple to patch the flaws he'd discovered, simply put exploits for those flaws online.

Rauch told Krebs that patching this issue involves simply banning sure characters from the Found page'due south entry fields.

"It'south a pretty easy thing to prepare," Rauch said. "Having said that, I imagine they [Apple] probably want to also figure out how this was missed in the first place."

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown upwards in random TV news spots and even moderated a panel give-and-take at the CEDIA abode-technology conference. You tin can follow his rants on Twitter at @snd_wagenseil.

Source: https://www.tomsguide.com/news/apple-airtag-phishing-attack

Posted by: maffeiofterhaver80.blogspot.com

Share this post