Enlarge / Apple’s AirTags—as seen clipped to a backpack, above—allow users to attempt to find their own device via location rebroadcast from other Apple users. If all else fails, the user can enable a “Lost mode” intended to display their phone number when a finder scans the missing AirTag. (credit: James D. Morgan / Getty Images)
The hits keep coming to Apple’s bug-bounty program, which security researchers say is slow and inconsistent to respond to its vulnerability reports.
This time, the vuln du jour is due to failure to sanitize a user-input field—specifically, the phone number field AirTag owners use to identify their lost devices.
The Good Samaritan attack
AirTags are tiny, button-like devices which can be personalized with engraving and attached to easily lost devices either directly or via “loop” holders. (credit: James D. Morgan via Getty Images)
Security consultant and penetration tester Bobby Rauch discovered that Apple’s AirTags—tiny devices which can be affixed to frequently lost items like laptops, phones, or car keys—don’t sanitize user input. This oversight opens the door for AirTags to be used in a drop attack. Instead of seeding a target’s parking lot with USB drives loaded with malware, an attacker can drop a maliciously prepared AirTag.
