Researchers in the UK have discovered a bug in Apple Pay that allows hackers to make unauthorized contactless payments from your iPhone. Researchers at the University of Birmingham and the University of Surrey published a paper Thursday describing the method by which this flaw can be exploited. Hackers can even bypass an iPhone’s lock screen using this method.
Watch out for this security hole in Apple Pay
The express transit function, which Apple first introduced in iOS 12.3, seems to be responsible for the security hole. With Express Transit, you can quickly pay for public transport trips with a card in the Wallet app. As Apple notes on this support page, there is no need to verify with Face ID, Touch ID, or a passcode. Express Transit is supposed to be convenient, but it is also key to this exploit.
As the researchers explain, ticket readers transmit a non-standard sequence of bytes capable of bypassing the iPhone lock screen. In their research you refer to these as “magic bytes”. This allows Express Transit (and similar features on other devices) to work. Apple Pay checks that all requirements are met and processes the payment if necessary.
By mimicking a ticket reader, the researchers were able to get Apple Pay to process contactless payments. This was only possible with Visa cards, but it was incredibly effective. The researchers say they were able to use an EMV shop reader to make fraudulent payments of any amount from a locked iPhone. They tested up to £ 1000 but there may not be a limit.
Are Apple and Visa working on a solution?
Unfortunately, neither Apple nor Visa are doing anything to address this frightening vulnerability. Here’s what researchers heard from both companies after informing them of the bug:
We reported this attack to both Apple and Visa and discussed it with their security teams. Apple suggested that Visa would be the best solution to implement additional fraud detection checks that explicitly check the issuer’s application data (IAD) and merchant category code (MCC). Meanwhile, Visa determined that the problem only applies to Apple (that is, not Samsung Pay), so they suggested fixing Apple Pay. We’re reviewing Apple and Visa possible solutions in Tamarin and showing that both would limit the impact of the forwarding. At the time of writing, neither side has implemented a fix, so the Apple Pay Visa vulnerability remains active
In this of. split video, you can actually watch the researchers exploit the vulnerability The telegraph: