Apple AirTag Bug Enables Good Samaritan Attack

AirTags do not have holes or other mechanical features that would allow them to be positively attached or affixed to the item being tracked; solutions include adhesives and purpose-built accessories. The polyurethane AirTag Loop is the least expensive solution sold by Apple; it costs the same as a single AirTag and has been criticized as an “accessory tax”. AirTag requires an Apple ID and iOS or iPadOS 14.5 or later. pytorch It uses the CR2032 button cell, replaceable with one year of battery life (though batteries with child-resistant bitterants cannot be used due to the design of the AirTag battery terminal). The maximum range of Bluetooth tracking is estimated to be around 100 meters. The water-resistance of an AirTag is rated IP67 water and dust; an AirTag can withstand 30 minutes of water immersion in standard laboratory conditions.

As usual the news reports left out details like the ones being stated here. So much of the technology we use today fills what to others are trivial use cases. As always, if you don’t need it, if it provides you no value, then don’t buy it. Related, some people live in areas with enough crime to worry about theft. And, contrariwise, cars are stolen all the time in my low-crime part of Seattle . Remembering where things is something that only some people do.

When the owner enables Lost Mode, it can display a phone number or address on a specialized website. Security consultant and penetration tester Bobby Rauch discovered that Apple’s AirTags—tiny devices which can be affixed to frequently lost items like laptops, phones, or car keys—don’t sanitize user input. This oversight opens the door for AirTags to be used in adrop attack. Instead of seeding a target’s parking lot with USB drives loaded with malware, an attacker can drop a maliciously prepared AirTag. Users who set their AirTags to lost mode are prompted to provide a contact phone number for finders to call.

Understand that typically the discoverer is doing a favor for the publisher. We welcome pull requests, or GitHub issues, or email to There was a problem preparing your codespace, please try again.

But that is trivial because you can use anonymous contact info and won’t care if someone gets that info before you report it as lost. The initial reports surfaced about 4 business weeks ago. That’s plenty of time to grasp the internal issues and release a robust action plan.

The term is probably misplaced in this context. That having been said, I thought it was a well-written article and it comes to the same conclusion I came to on my own. AirTags are doing the same thing that others have done in the past. There is increased risk due to the fact that they are more popular than the others, but this is greatly offset by the safeguards Apple is building in to their ecosystem, which other products are not (yet?) doing. Sure enough, the key was recently located in the pocket of a rarely-worn winter coat in our basement closet. I immediately ordered an AirTag to attach to the keys.

Similar Posts