Although it did not appear at the new iPhone 13 lineup launch event this year, AirTag, a smart tracker released by Apple in the first half of this year, was loved by many consumers. This is thanks to the advantage of helping to reduce lost items by tracking the location of all belongings in an instant.
However, some security experts urged users to pay attention as they discovered a security vulnerability that AirTag could be hacked into. And, recently, an overseas cyber security expert has specifically disclosed the process of AirTag hacking.
Airtag is at high risk of hacking
Security researcher Bobby Rauch contacted cybersecurity blogger Brian Krebs to use AirTag’s tracking system to steal user’s confidentiality and data. We reported the news that revealed the process in detail.
The hacking process that Loch discovered occurs when the ‘Lost Mode’ is set and the user finds their belongings in a public place. When searching for Airtagged belongings, AirTag remotely tracks the location of the belongings through Apple’s Find My app. At this time, the air tag attached to the belongings the user wants to find is scanned with the NFC recognizer of the iPhone or Android device linked to the air tag. At the same time, we can collect contact information for all devices related to AirTag.
AirTag users can access the ‘Find My’ app and add a contact or email address. Once a hacker has access to the AirTag, collecting relevant information becomes a breeze. This is because when a user scans the Air Tag, a unique URL access link guide is automatically delivered to the smartphone to view the Air Tag owner’s contact information and messages.
Although it is set up to register contact information and e-mail addresses to help owners of belongings find things easily, it is also a factor that makes users vulnerable to hacking. Adding to the problem is the lack of a feature to disable AirTag users from entering arbitrary codes in the contact field of the device URL. Roach warned that by entering arbitrary codes into AirTag, it could be exploited for phishing and attack inducing access to malicious websites designed for the purpose of stealing personal information.
Airtag hacking risk, Apple’s response and solution?
On the other hand, Krebs said that after listening to Roach’s explanation, he informed Apple of the hacking risk of AirTag in June, but three months later, he replied that he was still “investigating the problem” and was asked not to disclose the problem to the outside. He added that Apple still did not properly acknowledge the risk of hacking.
In the end, Roach revealed that Apple’s response was so slow that he decided to publicize the dangers of AirTag being exploited for hacking through a blog.
At the same time, Roach emphasized that, as explained to Krebs, the hacking risk of AirTag can be easily addressed by simply banning certain characters in the input field of the ‘Found’ page. “AirTag’s security flaws are very easy to fix,” said Roach. “We want Apple to admit that it wasn’t aware of the hacking risks when it was designed.”