Click to Skip Ad
Closing in...

Apple Pay security flaw allows hackers to steal your money when your iPhone is locked

Published Oct 2nd, 2021 9:01AM EDT
Apple Pay flaw
Image: Apple

If you buy through a BGR link, we may earn an affiliate commission, helping support our expert product labs.

Researchers in the UK have discovered a flaw in Apple Pay that allows hackers to make unauthorized contactless payments from your iPhone. The researchers from the University of Birmingham and the University of Surrey published a paper on Thursday describing the method by which this flaw can be exploited. Hackers can even bypass the lock screen of an iPhone with this method.

Watch out for this Apple Pay security flaw

The Express Transit feature that Apple first introduced in iOS 12.3 appears to be the culprit behind the vulnerability. With Express Transit, you can quickly pay for rides on public transportation with a card in the Wallet app. As Apple notes on this support page, you don’t have to validate with Face ID, Touch ID, or a passcode. Express Transit is meant to be convenient, but it’s also key to this exploit.

As the researchers explain, ticket readers transmit a non-standard sequence of bytes that are capable of bypassing the iPhone lock screen. They refer to these as “magic bytes” in their research paper. This allows Express Transit (and similar features on other devices) to function. Apple Pay checks to see if all the requirements are met, and if they are, it processes the payment.

By mimicking a ticket reader, the researchers were able to trick Apple Pay into processing contactless payments. This was only possible with Visa cards, but it was incredibly effective. The researchers say they were able to use an EMV shop reader to make fraudulent payments of any amount from a locked iPhone. They tested up to £1000, but there might not be a limit.

Are Apple and Visa working on a fix?

Unfortunately, neither Apple nor Visa are doing anything to patch this frightening vulnerability. Here’s what the researchers heard back from both companies after informing them of the flaw:

We disclosed this attack to both Apple and Visa, and discussed it with their security teams. Apple suggested that the best solution was for Visa to implement additional fraud detection checks, explicitly checking Issuer Application Data (IAD) and the Merchant Category Code (MCC). Meanwhile, Visa observed that the issue only applied to Apple (i.e., not Samsung Pay), so suggested that a fix should be made to Apple Pay. We verify Apple’s and Visa’s possible solutions in Tamarin and show that either would limit the impact of relaying. At the time of writing neither side has implemented a fix, so the Apple Pay Visa vulnerability remains live

You can actually watch the researchers exploit the vulnerability in this video shared by The Telegraph:

Jacob Siegal
Jacob Siegal Associate Editor

Jacob Siegal is Associate Editor at BGR, having joined the news team in 2013. He has over a decade of professional writing and editing experience, and helps to lead our technology and entertainment product launch and movie release coverage.