{"id":347148,"date":"2021-10-01T23:04:23","date_gmt":"2021-10-01T20:04:23","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/hackers-can-turn-airtags-into-phishing-machines-with-this-simple-exploit-review-geek\/"},"modified":"2021-10-01T23:04:23","modified_gmt":"2021-10-01T20:04:23","slug":"hackers-can-turn-airtags-into-phishing-machines-with-this-simple-exploit-review-geek","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/hackers-can-turn-airtags-into-phishing-machines-with-this-simple-exploit-review-geek\/","title":{"rendered":"#Hackers Can Turn AirTags Into Phishing Machines with This Simple Exploit \u2013 Review Geek"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a3cc586f18c3\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a3cc586f18c3\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/hackers-can-turn-airtags-into-phishing-machines-with-this-simple-exploit-review-geek\/#AirTags_Dont_Sanitize_%E2%80%9CPhone_Numbers%E2%80%9D\" >AirTags Don\u2019t Sanitize \u201cPhone Numbers\u201d<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/hackers-can-turn-airtags-into-phishing-machines-with-this-simple-exploit-review-geek\/#Apples_Spent_Months_Sitting_On_Its_Hands\" >Apple\u2019s Spent Months Sitting On Its Hands<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/hackers-can-turn-airtags-into-phishing-machines-with-this-simple-exploit-review-geek\/#Is_It_Safe_to_Scan_AirTags\" >Is It Safe to Scan AirTags?<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#Hackers Can Turn AirTags Into Phishing Machines with This Simple Exploit \u2013 Review Geek&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<figure style=\"width: 1920px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage wp-image-78783 size-full\" srcset=\"https:\/\/www.reviewgeek.com\/p\/uploads\/2021\/04\/3f3a008e.jpg?width=400 400w, https:\/\/www.reviewgeek.com\/p\/uploads\/2021\/04\/3f3a008e.jpg?width=1200 1200w\" sizes=\"auto, 400w, 1200w\" src=\"https:\/\/www.reviewgeek.com\/p\/uploads\/2021\/04\/3f3a008e.jpg?width=1200\" alt=\"\" width=\"1920\" height=\"1080\" data-credittext=\"Apple\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><figcaption class=\"wp-caption-text\"><span class=\"type:primaryImage imagecredit\"><a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">App<\/a>le<\/span><\/figcaption><\/figure>\n<p>Apple\u2019s latest security issues are both devastating and laughable. Last week, we learned that the company patched a macOS exploit in the laziest way possible, and now, the company is facing backlash for an amateurish AirTags vulnerability that it\u2019s known about for months and never bothered to fix.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"AirTags_Dont_Sanitize_%E2%80%9CPhone_Numbers%E2%80%9D\"><\/span>AirTags Don\u2019t Sanitize \u201cPhone Numbers\u201d<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>AirTags are small trackers that attach to backpacks, purses, luggage, and other valuables. If someone loses their AirTag-equipped bag, they can track its location using the Find My network, which is anonymously powered by iPhones and other Apple devices.<\/p>\n<p>But more often than not, lost articles are found by strangers. That\u2019s why AirTags have a \u201clost mode,\u201d a setting that lets Good Samaritans scan the tracker to see its owner\u2019s phone number. Scanning is easy\u2014you just touch the AirTag with your iPhone.<\/p>\n<p>Unfortunately, a design flaw in AirTags could turn the trackers into cheap tools for drop attacks. As discovered by security researcher <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/medium.com\/@bobbyrsec\/zero-day-hijacking-icloud-credentials-with-apple-airtags-stored-xss-6997da43a216\">Bobby Rauch<\/a>, Apple doesn\u2019t sanitize the phone number entry field that AirTag owners fill out when setting up their trackers. You can stick anything in this entry field, including malicious code.<\/p>\n<p>And that\u2019s a big problem. When you scan a lost AirTag, it gives its owner\u2019s \u201cphone number\u201d to your iPhone. Your iPhone then embeds the \u201cphone number\u201d in a <em>https:\/\/found.apple.com\/<\/em> webpage. So if a lost AirTag\u2019s phone number field is full of malicious XSS code, the Apple website will embed it, no questions asked.<\/p>\n<p>This vulnerability makes targeted phishing attempts extremely easy. A hacker can program a fake iCloud login box to show up when their \u201clost\u201d AirTag is scanned, for example. They could then plant this AirTag near a victim\u2019s car or front door to ensure that it\u2019s discovered and scanned.<\/p>\n<p>Hackers could also use this vulnerability to trigger browser-based zero-day exploits on an iPhone. These exploits could crash or brick your iPhone, but to be fair, such an exploit wouldn\u2019t really benefit a hacker (and there are much easier ways to deliver such exploits).<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"Apples_Spent_Months_Sitting_On_Its_Hands\"><\/span>Apple\u2019s Spent Months Sitting On Its Hands<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Bobby Rauch, the researcher who discovered this vulnerability, reported it to Apple on June 20th. The company spent three months telling Rauch that it was investigating the issue, and refused to tell him if he would receive credit or a bounty for his discovery (these are standard rewards for following <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/developer.apple.com\/security-bounty\/\">Apple\u2019s bug bounty program<\/a>).<\/p>\n<p>Apple asked Rauch not to \u201cleak\u201d the bug, but refused to work with him or provide a timeline for a patch. He warned the company that he\u2019d take the vulnerability public after 90 days, and finally did so in <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/medium.com\/@bobbyrsec\/zero-day-hijacking-icloud-credentials-with-apple-airtags-stored-xss-6997da43a216\">a Medium blog post<\/a>. Still, Apple has not commented on the issue publicly, though it previously told Rauch that it intends to fix the problem.<\/p>\n<p>Technically speaking, this should be a very easy fix. Apple doesn\u2019t need to push an update for the iPhone or AirPods; it just needs to make the <em>https:\/\/found.apple.com\/<\/em> webpage sanitize incoming \u201cphone numbers.\u201d But I hope that Apple takes the steps to <em>completely<\/em> resolve this problem. The company keeps making stupid mistakes and pushing half-assed patches for things that should have been secure at launch.<\/p>\n<p>Not to mention, Apple <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.macrumors.com\/2021\/09\/09\/security-researchers-apple-bug-bounty-complaints\/\">refuses to communicate<\/a> with people who try to report issues through its official bug bounty program. If Apple\u2019s serious about security, it needs to tackle software vulnerabilities quickly and start treating security experts with respect. After all, a lot of these security experts are doing Apple\u2019s work for free.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"Is_It_Safe_to_Scan_AirTags\"><\/span>Is It Safe to Scan AirTags?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>This <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/news\/\" data-internallinksmanager029f6b8e52c=\"2\" title=\"News\" target=\"_blank\" rel=\"noopener\">news<\/a> shouldn\u2019t discourage you from scanning AirTags, though it should make you more vigilant. If you\u2019re asked to sign in to iCloud or another account after scanning an AirTag, for example, then something\u2019s up\u2014Apple doesn\u2019t ask for any login information when a legitimate AirTag is scanned.<\/p>\n<p>An AirTag that\u2019s left by itself is also a red flag \u2026 sort of. Because these trackers don\u2019t have built-in keychain loops, they can tumble out of bags or escape from cheap holsters. In most cases, a lone AirTag is the result of carelessness.<\/p>\n<p>Anyway, nobody\u2019s forcing you to scan AirTags. If you find a lost item with an AirTag and aren\u2019t comfortable scanning it, you can take it to the Apple Store (or a police station, I guess) and make it their problem. Just know that there\u2019s probably no harm in scanning it, so long as you don\u2019t type any login information in the AirTags browser popup.<\/p>\n<p><small>Source: <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/medium.com\/@bobbyrsec\/zero-day-hijacking-icloud-credentials-with-apple-airtags-stored-xss-6997da43a216\">Bobby Rauch<\/a> via <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/krebsonsecurity.com\/2021\/09\/apple-airtag-bug-enables-good-samaritan-attack\/\">Krebs on Security<\/a>, <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/arstechnica.com\/information-technology\/2021\/09\/apple-airtags-can-be-abused-to-direct-finders-to-malicious-websites\/\">Ars Technica<\/a><\/small>\n<\/div>\n<p><script>\nsetTimeout(function(){\n  !function(f,b,e,v,n,t,s)\n  {if(f.fbq)return;n=f.fbq=function(){n.callMethod?\n  n.callMethod.apply(n,arguments):n.queue.push(arguments)};\n  if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version='2.0';\n  n.queue=[];t=b.createElement(e);t.async=!0;\n  t.src=v;s=b.getElementsByTagName(e)[0];\n  s.parentNode.insertBefore(t,s)}(window, document,'script',\n  'https:\/\/connect.facebook.net\/en_US\/fbevents.js');\n  fbq('init', '1137093656460433');\n  fbq('track', 'PageView');\n  },3000);\n<\/script><\/p>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.reviewgeek.com\/99482\/hackers-can-turn-airtags-into-phishing-machines-with-this-simple-exploit\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#Hackers Can Turn AirTags Into Phishing Machines with This Simple Exploit \u2013 Review Geek&#8221; Apple Apple\u2019s latest security issues are both devastating and laughable. Last week, we learned that the company patched a macOS exploit in the laziest way possible, and now, the company is facing backlash for an amateurish AirTags vulnerability that it\u2019s known&#8230;<\/p>\n","protected":false},"author":1,"featured_media":347149,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.reviewgeek.com\/p\/uploads\/2021\/04\/3f3a008e.jpg","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-347148","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/347148","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=347148"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/347148\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/347149"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=347148"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=347148"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=347148"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}