Researchers from the computer science departments at Birmingham and Surrey universities have discovered a way for hackers to make large and unauthorized payments from locked iPhones by exploiting the features of Apple Pay.
University researchers have found that the attack works on Visa cards in Express Transit mode in an iPhone wallet. They were able to make a contactless payment of Â£ 1,000 (around $ 1,350) without unlocking the iPhone in use. Despite being reported to Apple a year ago, the issue is still not resolved.
Apple dismissed the attack vector as a “problem with a Visa system”; Visa not only insists that all payments are secure, but also that the attack put in place by the researchers was unworkable.
Express Transit mode was designed to allow a user to easily pass through ticket gates, making it possible to pay for entrance to sites or transport tickets without having to unlock their iPhone first. This can be exploited in an attack.
In short, the attack involves the use of a device claiming to be a teller machine and the signal from the iPhone attempting to communicate with the “portal” is intercepted. An application is used to trick a nearby payment terminal into believing that the iPhone is unlocked, thereby authorizing a payment to be made.
The researchers explain:
The attack on Apple Pay Transport is an active Man-in-the-Middle replay and relay attack. You need an iPhone to have a Visa card (credit or debit) configured as a “transport card”.
If a non-standard byte sequence (Magic bytes) precedes the standard ISO 14443-A WakeUp command, Apple Pay will consider this a transaction with a transport EMV reader.
We use a Proxmark (which will act as a reader emulator) to communicate with the victim’s iPhone and an NFC-enabled Android phone (which acts as a card emulator) to communicate with a payment terminal. The Proxmark and the card emulator must communicate with each other. In our experiments, we connected the Proxmark to a laptop, to which it communicated via USB; the laptop then relayed the messages to the card emulator via WiFi. The Proxmark can also communicate directly with an Android phone via Bluetooth. Android phone does not require root.
The attack requires immediate proximity to the victim’s iPhone. This can be achieved by holding the terminal emulator near the iPhone while its rightful owner is still in possession, stealing it, or finding a lost phone.
The attack works first replay the Magic bytes to the iPhone, so that it thinks the transaction is with an EMV transport player. Second, while transmission EMV messages, Terminal Transaction Qualifiers (TTQ), sent by the EMV terminal, must be changed so that the bits (flags) for Offline data authentication (ODA) for supported online permissions and EMV mode supported are fixed. Offline data authentication for online transactions is a feature used in special purpose readers, such as gateways to transit systems, where EMV readers can have intermittent connectivity and in-process processing. line of a transaction cannot always take place. These modifications are sufficient to allow a transaction to be relayed to an EMV reader outside of transport, if the transaction is under the contactless limit.
In order to relay transactions beyond the contactless limit, the card transaction qualifiers (CTQ), sent by the iPhone, must be changed so that the bit (flag) of Consumer device cardholder verification method is set. This tricks the EMV reader into believing that user authentication on the device has been performed (e.g. by fingerprint). The CTQ value appears in of them messages sent by iPhone and must be changed in both cases.
In an article titled Practical EMV Relay Protection to be published at the 2022 IEEE Security and Privacy Symposium, the team of researchers summarizes their findings:
- Apple Pay lock screen can be bypassed for any iPhone with Visa card set up in transit mode. The contactless limit can also be bypassed, allowing unlimited EMV contactless transactions from a locked iPhone.
- An attacker only needs a stolen and powered iPhone. Transactions could also be relayed from an iPhone in someone’s bag without their knowledge. The attacker does not need any help from the trader and
backend fraud detection checks did not stop any of our test payments.
- This attack is made possible by a combination of loopholes in the Apple Pay and Visa system. It does not affect, for example, Mastercard on Apple Pay or Visa on Samsung Pay.
- Our work includes formal modeling that shows that Apple or Visa alone could mitigate this attack. We notified them two months ago but neither of them fixed their system, so the vulnerability remains active.
- We recommend all iPhone users to verify that they do not have a Visa card set up in transit mode and, if they do, to deactivate it.
Video of an attack can also be seen on the website.
Image credit: WDnet / Shutterstock creation