Experts in the University of Birmingham’s School of Computer Science and the University of Surrey’s Department of Computer Science found their approach could also be used to bypass the contactless limit allowing transactions of any amount to be performed.
The researchers discovered the vulnerability occurs when Visa cards are set up in ‘Express Transit mode’ in an iPhone’s wallet. Transit mode is a feature on many smartphones that enables commuters to make a swift contactless mobile payment at, for example, an underground station turnstile, without fingerprint authentication.
The weakness lies in the Apple Pay and Visa systems working together and does not affect other combinations, such as Mastercard in iPhones, or Visa on Samsung Pay.
Using simple radio equipment, the team identified a unique code broadcast by the transit gates, or turnstiles. This code, which the researchers nicknamed the ‘magic bytes’ will unlock Apple Pay. The team found they were then able to use this code to interfere with the signals going between the iPhone and a shop card reader. By broadcasting the magic bytes and changing other fields in the protocol, they were able to fool the iPhone into thinking it was talking to a transit gate, whereas actually, it was talking to a shop reader.
At the same time, the researchers’ method persuades the shop reader that the iPhone had successfully completed its user authorization, so payments of any amount can be taken without the iPhone’s user’s knowledge.
Dr Andreea Radu, in the School of Computer Science at the University of Birmingham, led the research. She said, “Our work shows a clear example of a feature, meant to incrementally make life easier, backfiring and negatively impacting security, with potentially serious financial consequences for users.”
Co-author Dr Ioana Boureanu, from the University of Surrey’s Centre for Cyber Security, added, “We show how a usability feature in contactless mobile payments can lower security. But, we also uncovered contactless mobile-payment designs, such as Samsung Pay, which is both usable and secure. Apple Pay users should not have to trade-off security for usability, but, at the moment, some of them do.”
The authors of the research said that iPhone owners should check if they have a Visa card set up for transit payments, and if so they should disable it.
According to the two universities, the details of the vulnerability were disclosed to Apple in October 2020 and to Visa in May 2021. Both parties acknowledged the seriousness of the vulnerability but have not come to an agreement on which party should implement a fix.
To read the full report and watch a video of a £1,000 (US$1,346) payment being taken from a locked iPhone, click here.