CISO Update #44
Nefarious use of Bluetooth Tracker Fobs
One of the coolest gadgets to emerge in recent years and may have even been on your Christmas list is the small Bluetooth tracker fob. The device, about the size of a scrabble tile, can be attached to almost anything and then the item can be tracked by a smartphone app. Versions of these trackers have been released by Samsung, Apple, Tile, and Chipolo, to name a few. The main purpose is to help you find things that are often misplaced, like keys, luggage, and even pets. These tracker fobs can even be used to locate things that have been stolen. But like everything else in the tech world, cybercriminals have found a way to take advantage of this helpful gadget and are misusing it to their advantage.
The tracker fob produced by Apple, called the AirTag, has an additional feature where owners can enable “Lost Mode,” in the event the tracker fob itself gets lost. Lost Mode lets the owner create a unique webpage that displays a message stating who to contact if the device is found. This feature is helpful to reunite the tracking device with its owner, but Lost Mode can also be used maliciously. Threat actors can take advantage of this feature by redirecting the user to a fraudulent Apple iCloud login page where their credentials can then be stolen. Apple has acknowledged this vulnerability and plans to have a fix for it soon.
This method is very similar to the attack in which weaponized USB sticks are left in conference rooms or parking lots for curious bystanders to plug in. Also called “USB drop attacks,” just this month the FBI warned of a cybercrime group sending packages to different U.S. firms. The packages are disguised as being sent by the U.S. Department of Health and Human Services or Amazon and contain USB flash drives that launch dangerous malware, sometimes even ransomware. Read more about that here.
What can you do?
If you own an Apple AirTag, don’t enable “Lost Mode” until this vulnerability is fixed.
If you find an Apple AirTag, don’t try and locate its owner using the “Lost Mode” feature.
If you find a USB drive on the FIT campus, don’t plug it in to see who it belongs to or what’s on it, instead turn it in to Campus Safety or to the IT Help Desk.
Guest Post by Patricia Krakow, IT Security Systems Specialist