In this week’s Cyber Blurbs Roundup, we cover an issue with Apple’s AirTags, the problem with Apple Pay’s Express Transit, and a massive data breach for one of the world's luxury department stores.
The AirTag ‘Good Samaritan’ Attack
Earlier this year, Apple finally unveiled its long-rumored item tracker — a tracking device designed to help people find items that are frequently lost. Think Tile, but with that iconic Apple logo capable of motivating the masses into opening their wallets. It quickly became one of the mainstays for item trackers, largely thanks to its ability to leverage Apple’s Find My network to create a reliable radar for finding lost items.
But in that usefulness comes popularity, which in turn often results in targeting.
Late last month, security researchers notified Apple of what they called the “Good Samaritan” attack. AirTags were not just designed to prevent items from being lost, they were also intended to ensure that lost items could be returned to their original owner. Those who find the lost item — be it a set of keys, a backpack, or any other item with an AirTag attached — can scan the tracker with their mobile device to identify the owner’s phone number and email address.
What it certainly wasn’t designed to do was require these “good samaritans” to log in to their iCloud accounts. But most folks may not know that, which could open the door for them to be duped into offering their login credentials to malicious actors.
But security researcher Bobby Rauch did just that — manipulating the tracking device to allow for a person to be redirected from the safe landing page to a phishing attempt. According to Rauch, who spoke to numerous cyber news outlets like ArsTechnica and KrebsOnSecurity, carrying out the attack doesn’t require much heavy lifting. All one would need to do is input valid cross-site scripting into the device’s phone number field. From there, the attacker simply hopes the user is unsuspecting enough to actually input their login credentials, which isn’t much of a stretch.
Rauch says he notified Apple of the vulnerability in June, but the company failed to respond with much beyond the fact that it was “still investigating” the matter for about three months, per Krebs. The company recently notified Rauch that it planned to address the issue in an upcoming update. In the meantime, consider walking past any AirTags you may encounter in the wild.
Apple Pay’s Express Transit Vulnerability
Apple’s vulnerabilities don’t stop there. A different group of security researchers from the UK recently announced findings associated with Apple Pay — the iPhone maker’s digital payment service.
According to the findings, shared with The Telegraph, the issue exists on devices using Express Transit while having a Visa card set as the default payment method. Express Transit, by design, does not require users to authenticate via Face or Touch ID as a way of speeding up the payment process while accessing public transportation. Security concerns were brushed off due to the relatively low amount of money often associated with public transit fares, as well as daily limits to the amount of money one can spend on transit.
But security researchers, based out of the Birmingham and Surrey Universities, developed a way to dupe the device into thinking it’s near one of those Express Transit terminals, and even managed to bypass the daily and transactional limit designed to protect users from having their accounts sapped of their funds. Researchers in the UK said they were able to perform a £1,000 (a little more than $1,350 for our American readers) transaction on a locked iPhone without any authentication requirements using commercially available radio equipment.
Apple says the issue is rooted in the way Visa handles these transactions.
"We take any threat to users' security very seriously," Apple told the BBC. "This is a concern with a Visa system but Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place. In the unlikely event that an unauthorized payment does occur, Visa has made it clear that their cardholders are protected by Visa's zero liability policy."
There is no evidence to suggest that this attack has been actively exploited in the real world. Visa also claims these sorts of attacks are unlikely to occur outside of a controlled environment.
"Visa cards connected to Apple Pay Express Transit are secure, and cardholders should continue to use them with confidence," a Visa spokesperson told the BBC. "Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world."
Neiman Marcus Hack Exposes 4.6 Million Customers
Neiman Marcus, the luxury department store for those comfortable with paying $695 for uncomfortable shoes, ended its September by informing 4.6 million of its customers of a data breach. News of the incident comes about 16 months after it took place in May 2020 (perhaps they withheld the information after realizing folks already had enough issues on their plate). Neiman Marcus says it is working with cybersecurity company Mandiant to investigate the attack.
The retailer listed the following as data that’s been potentially exposed:
Names
Contact information
Payment card numbers (and expiration dates)
Virtual gift card numbers
Usernames
Passwords
Security questions and answers linked to Neiman Marcus accounts
The company says about 3.1 million payment methods and gift cards were impacted, although it does state that more than 85% of those payment methods were expired.
Neiman Marcus has also set up a website for customers to access for more information about the hack.
