According to University of Birmingham research, vulnerabilities in Apple Pay or Visa could allow hackers to bypass the iPhone’s Apple Pay lock screen to perform contactless payments.
Experts from the University of Birmingham’s School of Computer Science, and the University of Surrey’s Department of Computer Science discovered that their method could be used to bypass any contactless limit which allows transactions of any amount. The 2022 IEEE Symposium on Security and Privacy will present their findings in a paper.
Researchers discovered that Visa cards set up in Express Transit mode in an iPhone’s wallet can expose the vulnerability. Transit mode, a feature found on many smartphones, allows commuters to quickly make a mobile payment at an underground station turnstile without fingerprint authentication.
The weakness is in Apple Pay and Visa working together. It does not affect other combinations such as Mastercard on iPhones or Visa on Samsung Pay.
The team used simple radio equipment to identify a unique code that was broadcast by the turnstiles or transit gates. The code, nicknamed by the researchers the “magic bytes”, will unlock Apple Pay. They were able to then use the code to disrupt the signals between the iPhone’s and the reader of shop cards. They broadcast the magic bytes, changing the fields, and fooled the iPhone into believing it was talking with a transit gate.
The shop reader is also convinced by the research that the iPhone has successfully completed its user authorization. Therefore, any amount can be paid without the iPhone’s knowledge.
The research was led by Dr. Andreea Radu from the School of Computer Science, University of Birmingham. She stated that “our work shows a clear example a feature meant to incrementally simplify life, but which backfires and negatively impacts security, with potential serious financial consequences for users.”
“Our conversations with Visa and Apple revealed that both parties are partially to blame and neither is willing to take responsibility for implementing a fix. This leaves users vulnerable indefinitely.”
Dr. Ioana Boureanu from the University of Surrey’s Centre for Cyber Security added that “we show how a useability feature in contactless phone payments can reduce security. We also discovered contactless mobile-payment design, such as Samsung Pay which is both secure and usable. Apple Pay users shouldn’t have to compromise security for usability. However, some do.
Tom Chothia, a co-author and also from the School of Computer Science, University of Birmingham, stated that iPhone owners should verify if they have a Visa Card set up for transit payments. If so, they should disable it. Apple Pay users are not at risk, but Visa and Apple will fix it.