The method is an active replay and relay MitM attack.
Researchers from the University of Birmingham and the University of Surrey in the UK have discovered a way to make fraudulent payments using Apple Pay from a locked iPhone with a Visa card. The method is a digital version of pickpocketing. It works over the air, even if the iPhone is in a bag or in someone's pocket.
Experts studied relay attacks on contactless payments and found that iPhones confirm transactions under certain conditions. To make a payment, iPhone users need to authorize it by unlocking the phone using Face ID, Touch ID, or a password. However, in some cases, such as when paying for public transport, unlocking the device makes the payment process cumbersome for the user. Apple Pay addressed the issue with Express Transit, which allows transactions to be completed without unlocking the device.
Express Transit works with turnstiles and card readers that send a custom byte sequence bypassing the Apple Pay lock screen. When combined with a Visa card, this feature can be used to bypass the Apple Pay lock screen and make illegal payments from a locked iPhone to an EMV reader for any amount and without user authorization.
The researchers were able to simulate a transaction using a Proxmark device. The method is an active replay-and-relay MitM attack in which Proxmark replays "special bytes" on the iPhone, ostensibly paying for a ticket without requiring the user to authenticate.
Experts were also able to change the Card Transaction Qualifiers (CTQ) indicators, which are responsible for setting limits for contactless transactions. During the experiment, the researchers carried out a transaction in the amount of £ 1,000 from a locked iPhone. The attack was successfully tested on iPhone 7 and iPhone 12.
The tests were successful only with iPhone and Visa cards. In the case of Mastercard, it is verified that the locked iPhone only accepts transactions from card readers with a transit merchant code.
The study was sent to Apple and Visa in October 2020 and May 2021, respectively, but neither company has addressed the issue. Instead, tech giants have shifted the burden of patching onto each other, so the vulnerability is still there and can be exploited with off-the-shelf hardware and software.
Researchers from the University of Birmingham and the University of Surrey in the UK have discovered a way to make fraudulent payments using Apple Pay from a locked iPhone with a Visa card. The method is a digital version of pickpocketing. It works over the air, even if the iPhone is in a bag or in someone's pocket.
Experts studied relay attacks on contactless payments and found that iPhones confirm transactions under certain conditions. To make a payment, iPhone users need to authorize it by unlocking the phone using Face ID, Touch ID, or a password. However, in some cases, such as when paying for public transport, unlocking the device makes the payment process cumbersome for the user. Apple Pay addressed the issue with Express Transit, which allows transactions to be completed without unlocking the device.
Express Transit works with turnstiles and card readers that send a custom byte sequence bypassing the Apple Pay lock screen. When combined with a Visa card, this feature can be used to bypass the Apple Pay lock screen and make illegal payments from a locked iPhone to an EMV reader for any amount and without user authorization.
The researchers were able to simulate a transaction using a Proxmark device. The method is an active replay-and-relay MitM attack in which Proxmark replays "special bytes" on the iPhone, ostensibly paying for a ticket without requiring the user to authenticate.
Experts were also able to change the Card Transaction Qualifiers (CTQ) indicators, which are responsible for setting limits for contactless transactions. During the experiment, the researchers carried out a transaction in the amount of £ 1,000 from a locked iPhone. The attack was successfully tested on iPhone 7 and iPhone 12.
The tests were successful only with iPhone and Visa cards. In the case of Mastercard, it is verified that the locked iPhone only accepts transactions from card readers with a transit merchant code.
The study was sent to Apple and Visa in October 2020 and May 2021, respectively, but neither company has addressed the issue. Instead, tech giants have shifted the burden of patching onto each other, so the vulnerability is still there and can be exploited with off-the-shelf hardware and software.
