Researchers at the University of Birmingham and the University of Surrey, as part of a project dubbed TimeTrust, say they have uncovered a vulnerability in the Apple Pay-Visa setup that could allow hackers to bypass iPhone’s Apple Pay lock screen to perform contactless payments and get around any established transaction limits.
The vulnerabilities were detected in iPhone wallets where Visa cards were set up in “express transit mode,” the researchers say. The transit mode feature, launched in May 2019, enables commuters to make contactless mobile payments without fingerprint authentication.
Threat actors can use the vulnerability to bypass the Apple Pay lock screen and illicitly make payments using a Visa card from a locked iPhone to any contactless Europay, Mastercard, and Visa — or EMV — reader, for any amount, without user authorization.
The weakness lies in the Apple Pay and Visa systems working together and does not affect other combinations, such as Mastercard in iPhones, or Visa on Samsung Pay.
Researchers also tested Samsung Pay, but they found it could not be exploited as easily. They also tried to push their hacker simulation tests using Mastercard, but they found out that the way its security layer works prevented the hackers’ attack from gaining access to the accounts.
How was it uncovered?
The researchers used simple radio equipment to identify a unique code broadcast by the transit gates or turnstiles. The code, dubbed “magic bytes,” unlocked Apple Pay.
“The team found they could use this code to interfere with the signals going between the iPhone and a shop card reader. By broadcasting the magic bytes and changing other fields in the protocol, they could fool the iPhone into thinking it was talking to a transit gate, whereas actually, it was talking to a shop reader,” said Andreea-Ina Radu, who led the research at the School of Computer Science at the University of Birmingham.
The method “persuades the shop reader that the iPhone has successfully completed its user authorization, so payments of any amount can be taken without the iPhone’s user’s knowledge.”
In addition, the vulnerability allows for a bypass of the contactless transaction limit, allowing unlimited EMV contactless transactions from a locked iPhone.
Radu says the project is a “clear example of a feature, meant to incrementally make life easier, backfiring and negatively impacting security, with potentially serious financial consequences for users.”
Apple and Visa’s response
This vulnerability was disclosed to Apple in October 2020 and to Visa in May 2021. The researchers say that both parties acknowledged the exposure’s seriousness, but they have not agreed on who should implement the fix.
“Our work includes formal modeling that shows that either Apple or Visa could mitigate this attack independently. We informed them both months ago, but neither has fixed their system, so the vulnerability remains live,” Radu said.
According to an Apple spokesperson, the vulnerability is a concern connected to Visa systems, and Visa does not believe that this kind of fraud is likely to take place in the real world, given the multiple layers of security in place.
“We take any threat to users’ security very seriously. However, in the unlikely event that an unauthorized payment does occur, Visa has made it clear that Visa’s zero liability policy protects their cardholders,” a Visa spokesperson said.
How users can protect themselves
The researchers said that fraud detection seems useless in the face of the hacker. However, users can protect themselves by not using Visa as a transport card in Apple Pay, and if they do, by remotely wiping the device if lost or stolen.
Researchers are further investigating the situation and will present their results at the 2022 IEEE Symposium on Security and Privacy.
