Apple Pay, Visa bug allows hacking contactless payments
UK researchers discovered unauthorized contactless payments possible on a locked iPhone due to flaws with Apple Pay and Visa.
Security researchers for the Universities of Birmingham and Surrey released a paper on Thursday detailing how hackers can bypass the Apple Pay lock screen on any iPhone with a Visa card set up in Express transit mode.
Express mode is meant to integrate payment cards with travel cards on iPhone devices using Apple Pay.
According to the paper, attackers can bypass the contactless limit, allowing unlimited EMV contactless transactions from a locked iPhone. Researchers successfully carried out an attack to prove their point, 'stealing' a thousand pounds (around $1,300) from their personal accounts.
According to the researchers, all an attacker needs is a powered-on iPhone, as no assistance from the merchant is necessary. The attack is possible due to a combination of flaws in Apple Pay and Visa systems. Researchers weren't able to replicate the experiment with Mastercard on Apple Pay or Visa on Samsung Pay.
Interestingly, researchers have informed both Apple and Visa about the flaw, but neither has decided to fix the issue.
"The details of this vulnerability have been disclosed to Apple (Oct 2020) and to Visa (May 2021). Both parties acknowledge the seriousness of the vulnerability but have not come to an agreement on which party should implement a fix," the researchers state in the paper.
The paper's authors advise users not to use Visa as a transport card in Apple Pay, at least until both Visa and apple agree to fix the flaw in their systems.
How it works
To oversimplify, an attacker needs to set up an RFID reader that tricks the targeted phone into taking it for a ticket barrier. At the same time, the researchers ran a script on a rooted Android device to iPhone's signal to a contactless payment terminal.
However, any type of device can be employed to carry out the task, not only Android phones.
Because the iPhone thinks it deals with a ticket barrier, a transaction is possible without unlocking the phone. Researchers abused this feature by tricking the device to act as if it was unlocked. That allowed to trick the device to act as if the payment was authorized, bypassing limits on payment size.
The researchers stated they have carried out the test on iPhone 7 and iPhone 12, indicating the flaw is present in iPhones of every model.
The authors of the report note that the complete work will be published at the 2022 IEEE Symposium on Security and Privacy.
It's been a few difficult weeks for Apple. Internet security watchdog group Citizen Lab recently announced a critical Apple software vulnerability, dubbed FORCEDENTRY.
Citizen Lab claims that the zero-day exploit against iMessage, which it dubbed FORCEDENTRY, was effective against Apple's mobile devices, laptops, and watches.
Last week a researcher reported four critical zero-day security vulnerabilities on Apple's iOS 14. The vulnerabilities affect a wide range of iOS data, allowing perpetrators to access apps, browsing history, and personal health data.
According to the researcher, Apple ignored researchers' attempts to inform the company about the vulnerabilities.
Experts, however, lauded Apple's attention to privacy with the iOS 15 upgrades. The latest iOS version will be equipped with on-device voice recognition, meaning that Siri requests will not leave the device to be processed. Another feature - intelligent tracking prevention - blocks trackers from profiling users by using their IP addresses.
Lastly, Apple introduced an email privacy protection feature that hides the device's IP address, preventing anyone from gaining insights into the sender's mail activity.
More from CyberNews:
Subscribe to our newsletter