Checklist 249: The Problem With Apple Security
On this week’s Checklist:
No good deed
Security researchers have discovered a vulnerability in AirTag. AirTag, Apple’s tracking device for personal belongings, has already been a topic of interest in the security community. As soon as it was announced, it sparked a flurry of privacy concerns — some of which were addressed by Apple.
But this week, KrebsOnSecurity reported on a new AirTag threat: a so-called “Good Samaritan” attack that can be used to target someone who finds a lost AirTag.
Here’s how the attack works. AirTag is designed to help users find lost stuff. For this reason, when an AirTag goes missing, you can put it in Lost Mode. This will generate a unique URL where you can leave a personalized message and phone number for anyone who finds your lost AirTag. If someone does find it, they can scan the AirTag to see the message and phone number.
But here’s the problem. It seems that Apple wasn’t properly validating the data entered into the phone number field. This vulnerability means that a bad actor could mark an AirTag as lost, enter some malicious code instead of an actual phone number, and then leave the trojanized AirTag in a public place. If found and scanned by a helpful stranger, the AirTag would take them to a malicious website — for example, a fake iCloud login page set up to steal credentials.
As Krebs points out, that’s not exactly a far-fetched scenario:
A USB stick with malware is very likely how U.S. and Israeli cyber hackers got the infamous Stuxnet worm into the internal, air-gapped network that powered Iran’s nuclear enrichment facilities a decade ago. In 2008, a cyber attack described at the time as “the worst breach of U.S. military computers in history” was traced back to a USB flash drive left in the parking lot of a U.S. Department of Defense facility.
Apple is currently working on a fix for the bug. In the meantime, here’s what you can do to stay safe if you find a lost AirTag.
- Remember that scanning an AirTag in Lost Mode is supposed to take you to a webpage at found.apple.com. That page won’t require any login details.
- If you’re taken to any other page — even to something that looks like an Apple page but is asking you for login information — don’t continue. Something isn’t right, and you could be dealing with a malicious site.
Apple, the security community, and you
Last week, three iOS 0-day vulnerabilities were made public by security researcher Denis Tokarev:
- A Gamed bug that could allow a malicious app to access user data, including the user’s Apple ID email and associated full name, Apple ID authentication data, as well as contact data and metadata.
- A Nehelper bug that could allow a malicious app to see what other apps are installed on a user’s device.
- A Nehelper bug that could allow a malicious app to access Wi-Fi information without the required permissions.
While the 0-days are exploitable under certain conditions, a Motherboard piece says that Tokarev and other security experts con’t consider the bugs to be critical, since they “could only be exploited by a malicious app that would need to get on the App Store and then on people’s devices”.
The bugs, however, aren’t the biggest story here. These 0-days received so much media attention because Tokarev published his findings before Apple had issued security patches. However, according to the security researcher, this was only because the company had been unresponsive and had “ignored” his most recent email. According to the Motherboard piece:
Tokarev reported the vulnerabilities to Apple between March 10 and April 29, but the last time he heard back from Apple about the three vulnerabilities was August 6, August 12, and August 25, respectively. Then the researcher said he told Apple on September 13 he would publish details of the bugs unless he heard back. It was only after he went public with details about the unpatched bugs that Apple reached out.
As SecureMac’s Nicholas Ptacek remarked in a quote for the Motherboard report:
While I’m glad Apple appears to be taking this particular situation more seriously now, it comes across as more of a reaction to bad press than anything else.
Tokarev’s frustrating experience with the Apple Security Bounty program is, unfortunately, not unique. A number of prominent Mac security researchers have also reported problems with Apple’s responsiveness (or lack thereof). The KrebsOnSecurity piece notes that Bobby Rauch, the researcher who found the AirTag vulnerability, faced similar difficulties:
Apple never acknowledged basic questions he asked about the bug, such as if they had a timeline for fixing it, and if so whether they planned to credit him in the accompanying security advisory.
Unfortunately, this doesn’t just affect independent security researchers, but everyone who uses Apple platforms. As KrebsOnSecurity points out, there is a real risk that “some researchers may decide it’s less of a hassle to sell their exploits to vulnerability brokers, or on the darknet”, or that “frustrated researchers will simply post their findings online for everyone to see and exploit”.
Apple has improved their relationship with the third-party security community in recent years … but it’s clear that there’s still a lot work to be done.