Researchers have discovered a flaw in iPhones that could lead to large unauthorized contactless payments. The exploit takes advantage of Apple Pay’s ‘Express Transit’ feature, which allows commuters to make swift contactless payments without unlocking their phone.
Security researchers from the Computer Science departments of Birmingham and Surrey Universities showed the BBC a video of a £1,000 contactless Visa payment from a locked iPhone.
Apple has said that the flaw specifically targets Visa cards set up in Express Transit.
The researchers who discovered the flaw agree with the assessment, saying it is an issue with how Visa systems work with the feature.
Visa has since claimed that the systems are secure and that such an attack is impractical outside of a lab.
Flaw Discovered in Apple Pay, Visa Contactless Payments
The researchers demonstrated the attack to BBC journalists, where they made a Visa payment of £1,000 without unlocking the phone or authorizing the payment. The exploit follows a series of steps listed below, with some key details redacted for security reasons:
- First, they placed a small commercially available piece of radio equipment near the iPhone. This tricks it into believing it is dealing with a ticket barrier.
- At the same time, they used an Android phone running an application they developed to relay signals from the iPhone to a contactless payment terminal. This could happen in a shop or in the hands of a criminal, the researchers said.
- Since the iPhone is tricked into thinking it is paying a ticket barrier, it doesn’t need to be unlocked.
- Meanwhile, the iPhone’s interaction with the payment terminal is altered. This leads the terminal to believe the device has been unlocked and the payment is authorized. Consequently, high-value transactions can be made without providing any security credentials, like a user’s PIN, fingerprint, or Face ID.
The researchers also said that the Android device and payment terminal do not need to be close to the victim’s iPhone. According to Dr. Ioana Boureanu of the University of Surrey, “It can be on another continent from the iPhone as long as there’s an internet connection.”
As of now, there is no evidence that the exploit has been used outside of a lab setting, but researchers believe that the attack would be easiest to deploy against a stolen iPhone.
On the positive side, the researchers found other systems, such as Samsung Pay and Mastercard, were not vulnerable to the hack.
Visa Says Systems Secure, Attack Impractical Outside Lab
The researchers added that they approached both Apple and Visa a year ago. At the time, they had “useful” conversations, but the issue was not resolved.
Visa said it was aware of variations of contactless fraud, which have been studied in labs for over a decade. However, the financial services titan said that the attack was “impractical to execute in the real world.”
The company said cards connected to the Apply Pay Express Transit feature are secure. They further urged cardholders to continue using them.
Apple stated that the concern pertains to a Visa system.
“Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place,” it added.