Skip to Content
Apple.com
Security & privacy

Have an AirTag? Bad news: It can be hacked to steal your Apple account

Losing your stuff can be frustrating. You try to backtrack and still can’t find what you’re looking for. GPS trackers solve this problem by showing you the location of your things. Apple threw its hat in the ring by releasing AirTag trackers. Just attach one to your car keys, purse, TV remote or whatever you don’t want to lose.

There are some inherent risks in a device that can be used to track just about anything. Somebody can slip an AirTag device into your bag without you knowing and track you from their phone. Tap or click here to find out what Apple is doing to prevent this dangerous practice.

So, what happens when you lose the tracker itself? Hopefully, the right person finds it and gets it back to you. The thing is that a lost AirTag can hurt the Good Samaritan more than it does you. Read on to find out how.

No good deed goes unpunished

A security consultant discovered a vulnerability in AirTag trackers that would allow bad actors to insert malicious code into messages about “lost” AirTags. Bobby Rauch reported the weakness to Apple and also told the story to cybersecurity blogger KrebsOnSecurity.

AirTags have a Lost Mode that lets people who find lost AirTags get them back to their owner. If someone finds a missing AirTag, they can scan it with their phone to get the owner’s phone number.

RELATED: Our review of a tactical wallet and locking case designed for your AirTags

When you turn on Lost Mode, a unique URL is created at found.apple.com. You can add a message that includes your phone number or email address. If someone else finds your AirTag, they can use an iPhone or Android phone to access the URL with your Lost Mode message. 

The problem is that a thief can change the code to redirect the Good Samaritan wherever they want, including a fake login page or malicious website. The bad actor can enter this information in the phone number field provided by the Lost Mode URL.

For example, the person who finds the missing AirTag will scan it with their phone and be taken to an iCloud login page, where they’re asked to enter their credentials to find the owner. The AirTag was purposely left out for someone to find, and the iCloud page is phony.

Avoid this Good Samaritan scam

Apple responded to Rauch via email, saying the issue is being worked on. In the meantime, if you find an AirTag, be aware that you don’t need to log in to any site to return it to its owner. If you are taken to such a page, throw away the AirTag so nobody else can fall for the scam.

A legitimately lost AirTag will take you to a page with an email or phone number to contact. There are no fields for you to fill in.

Keep reading

Dog theft is increasing: 3 ways tech can keep your pooch safe

The best (and worst) cases to protect your AirTags

Refer friends, earn rewards!

Why not share your source of digital lifestyle news, tips and advice with others? When your friends and family subscribe to Kim's free newsletters, you earn points toward awesome rewards!

Get rewarded