I thought this was interesting and relevant to our recent discussions about social engineering. Apple Air Tags are used to locate frequently lost devices. Finders of a tag can scan the device on their iPhone to reveal information about the tag’s owner if it’s in “lost mode.” During the scan, the finder’s iPhone displays a custom web page with the owner’s phone number.
The Air Tag “Good Samaritan Attack” exploits a flaw in this process which does not sanitize the input to the phone number field. This allows the bad actor to input anything they’d like into the field, e.g. a redirect to an iCloud phishing page. The deployment is similar to USB baiting attacks where USB devices are dropped outside the target location. The Good Samaritan picks up the device, scans the tag, and is redirected to the attack page. This is concerning as users are not as diligent with checking sites on mobile devices and it may not be clear that they are being redirected to a malicious site.
The researcher who found the bug, Bobby Rauch, reported that Apple was not responsive to his attempts to disclose the issue. This has been a trend among security researchers that report issues to Apple. Rauch stated that they never answered his questions about the bug bounty program and did not follow-up with their remediation plan. Apple did ask that Rauch avoid publicizing his findings; however, he did not comply with this request, due to their lack of communication.
Article: Apple AirTag Bug Enables ‘Good Samaritan’ Attack
Author: Brian Krebs
Published: September 28, 2021
Hi Matt,
This is a really interesting find by the researcher Bobby Rauch. This attack is really unfortunate due to the victims being individuals who are just trying to help someone else find their lost item. It will really influence the amount of people willing to try and return a lost air tag. Truly no good deed goes unpunished.
It’s a shame that a person doing the right thing is the crux of this attack. It goes to show how susceptible we are to social engineering.