A computer security researcher has discovered a problem in the new Apple AirTags, which can be used as a very good tool for phishing to hunt careless users or who do not know how it works.
This vulnerability is caused by the Lost Mode of the AirTag, which allows entering a personal message or a contact number to the AirTag so that whoever finds it can communicate with the owner.
Those contact details appear when you scan an AirTag, either with an iPhone or with an Android phone. And the problem is that the field of the phone number that is completed when declaring an AirTag as lost allows you to enter any type of code; for example, a URL that sends the AirTag scanner to a website with which to steal credentials or passwords.
According to Bobby Rauch, the security researcher who discovered the problem, the bottom line is that an AirTag is a very cheap device that is available to anyone with questionable intentions. And in the past it has already happened that pen drives or other devices are left lying around, hoping that some Good Samaritan will find them and connect them to a computer just out of curiosity.
The investigator also reveals that he contacted Apple months ago to warn them of the problem and the company limited itself to replying that it would investigate the situation, in addition to asking that it please not filter or make the finding public until a solution is found.
According to Krebs on Security, this behavior is common: Apple is not very collaborative with external researchers who find security problems in their products and that opens the door for some to be more inclined to share their discoveries with third parties rather than with Apple, since the monetary rewards they may be older.