The airbag trackers are one among Apple’s long-rumoured products that ended up garnering a touch of controversy on launch. Easy to use and almost too easy to lose, Apple’s new Find My network was also criticized for being a privacy disaster waiting to happen. Apple has dealt with a number of those throughout a couple of months since the AirTags launched. Still, a newly reported vulnerability now threatens to harm kindhearted iPhone users that take their time to assist trace the owner of a lost tracker.
Apple adjusted its Find My system to accommodate the new AirTag trackers and their simple use. This convenience, however, raised privacy concerns, like how the trackers might be wont to stalk people. Even one vulnerability allowed an AirTag to be hacked and modified to try quite just to broadcast its location.
To its credit, Apple has been fixing these issues as they are available, but there doesn’t seem to be an end yet in view to potential exploits. The newest that Kerbs have reported on Security revolves around the AirTag’s Lost Mode, where it lets owners set a message and get in touch with a number to call just in case the tracker was found. The matter is that there aren’t any hard security checks on the links that users can tap on.
In one very plausible scenario, a hacker would have injected a URL into the telephone number field of the AirTag’s Lost Mode. That link would direct the user to a malicious page masquerading as an iCloud login page. Thinking of doing an honest deed, the unwitting person enters their credentials on the page, giving hackers some juicy data for further hacking sprees, especially since people tend to reuse passwords across services.
The report also touches on Apple’s behaviour in handling the bug report from security researcher Bobby Rauch. There are debates on responsible disclosure of such vulnerabilities, especially after a corporation requests silence on the matter. That said, Apple has also long been chastised for its ideal handling of those reports, which frequently find yourself getting publicized even before Apple fixes them.
