An Apple Pay exploit allows attackers to “wirelessly pickpocket money” from a locked iPhone

A group of UK-based security researchers has discovered an Apple Pay vulnerability that allows attackers to bypass Apple’s lock screen authentication barriers to make wireless payments.

For safety and security, Apple Pay uses a device-specific number and unique transaction code so users’ card numbers are not saved on the device, Apple servers, and merchants. Furthermore, to complete wireless payments users have to unlock their devices via Face ID or other authentication methods to prevent fraudulent transactions. But, researchers have found this security barrier can be breached to “wirelessly pickpocket money”.

Apple Pay is safer than using a physical credit, debit, or prepaid card. Face ID, Touch ID, or your passcode are required for purchases on your iPhone, Apple Watch, Mac, or iPad. – Apple

apple pay

Visa cards in Apple Express Transit mode creates Apple Pay exploit to make wireless payments without authentication

Apple’s Express Transit mode enables users to quickly for rides via Apple Pay without unlocking their iPhone or Apple Watch. Now, the investigation reveals that Visa cards in Apple Express Transit mode create a security vulnerability that allows relay attacks. Relay attackers can make unauthorized wireless payments by creating a unique code broadcast via transit gates that signal the device to unlock Apple Pay.

Apple Pay

Researchers were able to carry out the Apple Pay exploit by using common radio equipment to trick an iPhone into believing it was at a transit gate. The investigation proves that Mastercard’s has stronger protection against such Apple Pay exploits

Relay attackers can forward messages between a contactless EMV bank card and a shop reader, making it possible to wirelessly pickpocket money. To protect against this, Apple Pay requires a user’s fingerprint or Face ID to authorise payments, while Mastercard and Visa have proposed protocols to stop such relay attacks. We investigate transport payment modes and find that we can build on relaying to bypass the Apple Pay lock screen, and illicitly pay from a locked iPhone to any EMV reader, for any amount, without user authorisation.

We show that Visa’s proposed relay-countermeasure can be bypassed using rooted smart phones. We analyse Mastercard’s relay protection, and show that its timing bounds could be more reliably imposed at the ISO 14443 protocol level, rather than at the EMV protocol level.

However, Visa Card said in a statement to ZDNet that this Apple Pay exploit is impractical in a real-world setting and that the company takes all security threats very seriously. The company’s stance is also supported by the researchers who state that institutions have other security bifurcations against such attacks.

Although Apple says that this Apple Pay exploit is primarily a concern with a Visa system and not with its system, the company has security vulnerabilities that require immediate fixes. Recently, researchers have published three iOS 15 zero-day flaws, an AirTag exploit which enables attackers to hijack Apple ID credentials, and a lock screen exploit in iOS 15 that gives access to Notes without a passcode.

About the Author

Addicted to social media and in love with iPhone, started blogging as a hobby. And now it's my passion for every day is a new learning experience. Hopefully, manufacturers will continue to use innovative solutions and we will keep on letting you know about them.