How one coding error turned AirTags into perfect malware distributors

One of the more frightening facts about mobile IT in 2021 is that simplicity and convenience are far too tempting in small devices (think AppleWatch, AirTags, even rings that track health conditions, smart headphones, etc.). 

Compared with their laptop and desktop ancestors, they make it far more difficult to check that URLs are proper, that SPAM/malware texts/emails don’t get opened and that emlpoyees follow the minimal cybersecurity precautions IT asks. In short, as convenience ramps up, so do security risks. (Confession: Even though I try to be ultra-vigilant with desktop emails, I do periodically — far more often than I should — drop my guard on a message coming through my AppleWatch.)

Another of the always-has-been, always-will-be cybersecurity realities is that small programming errors are easy to make and often get overlooked. And yet, those small errors can lead to gargantuan security holes. This brings us to Apple and Airtags.

A security researcher has come to the CISO rescue and found that an open area for typing in a phone number has unintentionally turned AirTags into God’s gift to malware criminals.

Let’s turn to Ars Technica for details on the disaster. 

“Security consultant and penetration tester Bobby Rauch discovered that Apple’s AirTags — tiny devices which can be affixed to frequently lost items like laptops, phones, or car keys — don’t sanitize user input. This oversight opens the door for AirTags to be used in a drop attack. Instead of seeding a target’s parking lot with USB drives loaded with malware, an attacker can drop a maliciously prepared AirTag,” the publication reported.