Researchers have identified two potential vulnerabilities in AirTag, Apple’s recently released tracking device, which is a coin-shaped device marketed to allow people to find missing items.
The Find My app
One vulnerability potentially allows threat actors to establish a covert low-bandwidth data channel to non-AirTag devices, with the second vulnerability allowing for the replacement of an AirTag’s firmware with malicious code. Privacy issues have also been raised.
The small, circular metal discs display a location on Apple’s ‘Find My’ app once it has been paired with a user’s Apple ID. Each tag transmits a unique identifier using Bluetooth which will relay its location to Apple’s servers, via any compatible Apple device within range. The AirTags have no positional location capability such as GPS, but instead “ping” the nearest Bluetooth-enabled device, piggybacking off that device’s location data.
Researchers at consultancy firm Positive Security, identified that Apple's ‘Find My’ network can be used to send data from non-AirTag devices, at low data rates of a few bytes per second which could provide threat actors with a viable low-cost method of exfiltrating data from a corporate environment when used alongside surveillance sensors such as USB keyloggers.
The efficacy is likely to be low due to the unreliable nature of its communications, with data packets arriving out of order and dropped packets presenting a challenge, but with research, modified AirTag’s could potentially be used to exfiltrate data from air-gapped sites, if someone enters with an iPhone or other Apple device.
The second possible vulnerability is based on a method of modifying a device’s firmware, known as jailbreaking, where an electrical current is supplied at start up, aimed at disrupting the boot commands of the device and allowing access to the code. Researchers were able to then swap out the original code and replace it with malicious code which would present a phishing hyperlink to the user of a phone which scanned, or detected, a modified AirTag.
Despite a proof of concept being identified, it is technically sophisticated, so whilst immediate exploitation of this by threat actors is unlikely, it highlights that the security of AirTags can be circumvented.
Privacy issues have also been raised as the AirTags may be used for stalking, and covert monitoring of people’s location.
Whilst Apple has implemented several safeguards, including an alert triggered on a victim’s phone when an AirTag seems to be accompanying someone who’s not its owner, researchers have shown that these measures are relatively easy to circumvent. With one experiment showing an AirTag can be placed on a target person without triggering any of the safeguards if it was reconnected to, or came into range of, a threat actors device at regular intervals, found to be a three-day window.
Whilst currently, the risk of espionage using these devices, and of receiving phishing alerts, is low, it is likely to rise in the future. Organisations are advised to consider policy restrictions on their use in the workplace. Staff should exercise caution when scanning or receiving an AirTag alert on their work or personal devices to prevent exposure to potential malicious links.
They should also be made aware of the potential for AirTag’s use for remote monitoring of people’s locations.
Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to firstname.lastname@example.org. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).