Researchers uncover flaw when Apple Pay linked to a Visa card is used for transportation payments on say the London Underground
Apple Pay users are being urged to take note of a vulnerability that could allow hackers to steal a £1,000 payment.
Researchers from the University of Birmingham and University of Surrey have gone public with the flaw, after a year of fruitless discussions with both Apple and Visa.
According to the University researchers, the vulnerabilities in Apple Pay and Visa could enable hackers to bypass an iPhone’s Apple Pay lock screen and perform contactless payments.
Express Transit flaw
The problem occurs when Visa payment cards are set up in ‘Express Transit’ mode in an iPhone’s wallet.
As a reminder, ‘Express Transit’ is the Apple Pay feature that allows commuters to make contactless payments, without having to unlock their phone.
This feature is useful for commuters for example using the London Underground, who can simply tap and go with their iPhone at a ticket barrier, without the need for fingerprint authentication.
The researchers made clear the problem lies in the Apple Pay and Visa systems working together and does not affect other combinations, such as Mastercard in iPhones, or Visa on Samsung Pay.
The researchers said they used simple radio equipment to identify a unique code broadcast by the transit gates, or turnstiles.
This code, which the researchers have nicknamed the ‘magic bytes’ will apparently unlock Apple Pay.
The researchers then found they were then able to use this code to interfere with the signals going between the iPhone and a shop card reader.
“By broadcasting the magic bytes and changing other fields in the protocol, they were able to fool the iPhone into thinking it was talking to a transit gate, whereas actually, it was talking to a shop reader,” said the researchers.
At the same time, the researchers’ method persuades the shop reader that the iPhone had successfully completed its user authorisation, so payments of any amount can be taken without the iPhone’s user’s knowledge.
So in recap, a small radio near the iPhone tricks the smartphone into believing it is dealing with a ticket barrier. Meanwhile the hacker controls a phone running a bespoke application to relay signals from the victim’s iPhone to a contactless payment terminal, either in a shop or controlled by the criminal.
And because the iPhone thinks it is paying a ticket barrier, it doesn’t need to be unlocked to authorise a fraudulent payment.
“Our work shows a clear example of a feature, meant to incrementally make life easier, backfiring and negatively impacting security, with potentially serious financial consequences for users,” said Dr Andreea Radu, in the School of Computer Science at the University of Birmingham, who led the research.
“Our discussions with Apple and Visa revealed that when two industry parties each have partial blame, neither are willing to accept responsibility and implement a fix, leaving users vulnerable indefinitely,” said Dr Radu.
So far there is no evidence this attack vector has been used in the wild, but the danger is if someone were to lose their iPhone or have it stolen, the criminal can take all the time they need to extract payments from the iPhone’s digital wallet.
Even more concerning seems to be the tardy response of both Apple and Visa.
The researchers said they approached both Apple and Visa a year ago, and while useful conversations have reportedly taken place, the problem has not been fixed.
“We show how a usability feature in contactless mobile payments can lower security,” noted the research co-author Dr Ioana Boureanu, from the University of Surrey’s Centre for Cyber Security.
“But, we also uncovered contactless mobile-payment designs, such as Samsung Pay, which is both usable and secure. ApplePay users should not have to trade-off security for usability, but – at the moment – some of them do.”
So with no action from Apple or Visa, what can iPhone users do to protect themselves going forward?
Well co-author Dr Tom Chothia, from the School of Computer Science at the University of Birmingham had the following advice for concerned users.
“iPhone owners should check if they have a Visa card set up for transit payments, and if so they should disable it,” said Dr Chothia. “There is no need for Apple Pay users to be in danger but until Apple or Visa fix this they are.”
A security expert has said that while this attack vector is unlikely, it would good idea for users to disable to remove the ‘express card’ feature on Apple Pay, if they are using a Visa card.
“This highly impressive attack executed under test conditions highlights that with enough dedication and time, exploits will be found,” noted Jake Moore, cybersecurity specialist at ESET. “It is important to stress this is highly unlikely to become an attack vector used by criminals but even so, it would be a good idea to remove the ‘express card’ usage on any phone.”
“Making functionality and transactions easier often reduces the security of the transaction, so people should remain mindful that it is worth the extra seconds it takes to verify a purchase such as a train ticket via Face ID, Touch ID or a passcode,” said Moore.