Vulnerabilities in Apple Pay and Visa could enable hackers to bypass an iPhone’s Apple Pay lock screen and perform contactless payments, according to research by the University of Birmingham and University of Surrey.
Experts in the University of Birmingham’s School of Computer Science and the University of Surrey’s Department of Computer Science found their approach could also be used to bypass the contactless limit allowing transactions of any amount to be performed. Their results will be presented in a paper at the 2022 IEEE Symposium on Security and Privacy.
The researchers discovered the vulnerability occurs when Visa cards are set up in ‘Express Transit mode’ in an iPhone’s wallet. Transit mode is a feature on many smartphones that enables commuters to make a swift contactless mobile payment at, for example, an underground station turnstile, without fingerprint authentication.
The weakness lies in the ApplePay and Visa systems working together and does not affect other combinations, such as Mastercard in iPhones, or Visa on Samsung Pay.
Using simple radio equipment, the team identified a unique code broadcast by the transit gates, or turnstiles. This code, which the researchers nicknamed the ‘magic bytes’ will unlock Apple Pay. The team found they were then able to use this code to interfere with the signals going between the iPhone and a shop card reader. By broadcasting the magic bytes and changing other fields in the protocol, they were able to fool the iPhone into thinking it was talking to a transit gate, whereas actually, it was talking to a shop reader.
At the same time, the researchers’ method persuades the shop reader that the iPhone had successfully completed its user authorisation, so payments of any amount can be taken without the iPhone’s user’s knowledge.
Dr Andreea Radu, in the School of Computer Science at the University of Birmingham, led the research. She said: “Our work shows a clear example of a feature, meant to incrementally make life easier, backfiring and negatively impacting security, with potentially serious financial consequences for users.
“Our discussions with Apple and Visa revealed that when two industry parties each have partial blame, neither are willing to accept responsibility and implement a fix, leaving users vulnerable indefinitely.”
Co-author Dr Ioana Boureanu, from the University of Surrey’s Centre for Cyber Security, added: “We show how a usability feature in contactless mobile payments can lower security. But, we also uncovered contactless mobile-payment designs, such as Samsung Pay, which is both usable and secure. ApplePay users should not have to trade-off security for usability, but --at the moment-- some of them do.”
Co-author Dr Tom Chothia, also in the School of Computer Science at the University of Birmingham, said: “iPhone owners should check if they have a Visa card set up for transit payments, and if so they should disable it. There is no need for Apple Pay users to be in danger but until Apple or Visa fix this they are.”
- For media enquiries please contact Beck Lockwood, Press Office, University of Birmingham, tel: +44 (0)781 3343348 or Dalitso Njolinjo, Press Office, University of Surrey, tel: +44 (0)7720767399.
- More details and a video of a £1000 payment being taken from a locked iPhone are available.
- The University of Birmingham is ranked amongst the world’s top 100 institutions. Its work brings people from across the world to Birmingham, including researchers, teachers and more than 6,500 international students from over 150 countries.
- Radu et al (2021). ‘Practical EMV Relay Protection’. 2022 IEEE Symposium on Security and Privacy.