Researchers in the UK have discovered a flaw in Apple Pay that allows hackers to make unauthorized contactless payments from your iPhone. The researchers from the University of Birmingham and the University of Surrey published a paper on Thursday describing the method by which this flaw can be exploited. Hackers can even bypass the lock screen of an iPhone with this method.
Watch out for this Apple Pay security flaw
The Express Transit feature that Apple first introduced in iOS 12.3 appears to be the culprit behind the vulnerability. With Express Transit, you can quickly pay for rides on public transportation with a card in the Wallet app. As Apple notes on this support page, you don’t have to validate with Face ID, Touch ID, or a passcode. Express Transit is meant to be convenient, but it’s also key to this exploit.
As the researchers explain, ticket readers transmit a non-standard sequence of bytes that are capable of bypassing the iPhone lock screen. They refer to these as “magic bytes” in their research paper. This allows Express Transit (and similar features on other devices) to function. Apple Pay checks to see if all the requirements are met, and if they are, it processes the payment.
By mimicking a ticket reader, the researchers were able to trick Apple Pay into processing contactless payments. This was only possible with Visa cards, but it was incredibly effective. The researchers say they were able to use an EMV shop reader to make fraudulent payments of any amount from a locked iPhone. They tested up to £1000, but there might not be a limit.
Are Apple and Visa working on a fix?
Unfortunately, neither Apple nor Visa are doing anything to patch this frightening vulnerability. Here’s what the researchers heard back from both companies after informing them of the flaw:
We disclosed this attack to both Apple and Visa, and discussed it with their security teams. Apple suggested that the best solution was for Visa to implement additional fraud detection checks, explicitly checking Issuer Application Data (IAD) and the Merchant Category Code (MCC). Meanwhile, Visa observed that the issue only applied to Apple (i.e., not Samsung Pay), so suggested that a fix should be made to Apple Pay. We verify Apple’s and Visa’s possible solutions in Tamarin and show that either would limit the impact of relaying. At the time of writing neither side has implemented a fix, so the Apple Pay Visa vulnerability remains live
You can actually watch the researchers exploit the vulnerability in this video shared by The Telegraph: