British researchers have discovered a flaw in Apple Pay that allows hackers to make unauthorized contactless payments from your iPhone. Researchers at the University of Birmingham and the University of Surrey published a paper on Thursday describing the method by which this flaw can be exploited. Hackers can even bypass iPhone lock screen with this method.
Watch out for this Apple Pay security flaw
The Express Transit feature that Apple first introduced in iOS 12.3 appears to be the cause of the vulnerability. With Express Transit, you can quickly pay for your public transport journeys with a card in the Wallet app. As Apple notes on this support page, you don’t need to validate with Face ID, Touch ID, or a password. Express Transit is supposed to be convenient, but it’s also the key to this feat.
As the researchers explain, ticket readers transmit a non-standard sequence of bytes capable of bypassing the iPhone lock screen. They call them “magic bytes” in their research paper. This allows Express Transit (and similar features on other devices) to work. Apple Pay checks to see if all the conditions are met and, if they are, processes the payment.
By imitating a ticket reader, the researchers managed to get Apple Pay to process contactless payments. This was only possible with Visa cards, but it was incredibly efficient. Researchers say they were able to use an EMV store reader to make fraudulent payments of any amount from a locked iPhone. They tested up to £ 1000, but maybe there is no limit.
Are Apple and Visa working on a fix?
Unfortunately, neither Apple nor Visa is doing anything to correct this frightening vulnerability. Here’s what researchers heard from the two companies after telling them about the flaw:
We disclosed this attack to Apple and Visa and discussed it with their security teams. Apple suggested the best solution was for Visa to implement additional fraud detection checks, explicitly verifying Issuer Application Data (IAD) and Merchant Category Code (MCC). Meanwhile, Visa observed that the issue only applied to Apple (i.e. not Samsung Pay), and therefore suggested that a fix be made to Apple Pay. We check out the possible solutions from Apple and Visa to Tamarin and show that one or the other would limit the impact of the relay. At the time of writing, neither party has implemented a patch, so the Apple Pay Visa vulnerability remains active.
You can actually watch researchers exploit the vulnerability in this video shared by The telegraph: