A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities exploited in the attack remain unpatched, but the impacted vendors say they are not concerned.
The research was conducted by researchers at the University of Birmingham and the University of Surrey in the United Kingdom.
They discovered that if an iPhone is configured to use Apple Pay and a Visa card in “transit mode,” an attacker can remotely steal money from the targeted individual without any authentication or authorization being required — the attack works against locked iPhones.
“Express Transit” or “Express Travel” is a feature in Apple Pay that enables users to quickly pay for rides on certain public transport networks without having to authorize the payment with Face ID or Touch ID, as is typically required when Apple Pay is used. This feature can be highly useful, but researchers found that it also introduces some security risks.
The attack requires a reader emulator (they used a Proxmark device in their experiments), an NFC-enabled Android phone that acts as a card emulator, and an EMV reader. The attacker needs to hold the reader emulator close to the targeted iPhone — this can be done while it’s still in possession of the victim, or the attack is launched on a lost or stolen device.
The researchers described it as an “active man-in-the-middle replay and relay attack” that involves what they call “magic bytes,” a sequence of bytes that Apple Pay uses to determine if a transaction is being conducted with a transport EMV reader. The attack, they say, is possible due to a combination of flaws in Apple Pay and Visa systems.
“The attack works by first replaying the Magic Bytes to the iPhone, such that it believes the transaction is happening with a transport EMV reader. Secondly, while relaying the EMV messages, the Terminal Transaction Qualifiers (TTQ), sent by the EMV terminal, need to be modified such that the bits (flags) for Offline Data Authentication (ODA) for Online Authorizations supported and EMV mode supported are set. Offline data authentication for online transactions is a feature used in special-purpose readers, such as transit system entry gates, where EMV readers may have intermittent connectivity and online processing of a transaction cannot always take place. These modifications are sufficient to allow relaying a transaction to a non-transport EMV reader, if the transaction is under the contactless limit.”
Contactless card transactions typically have a limit, but the researchers have found a way to steal amounts of money over this limit. They demonstrated it by “stealing” £1,000 ($1,300) from a locked phone.
Both Visa and Apple have been notified and the researchers provided recommendations on how the attack could be mitigated, but neither of them has released any patches. The companies believe this type of attack is impractical to execute at scale in the real world, and noted that attacks are made difficult by the multiple layers of security that are in place.
The researchers also tested Samsung Pay and Mastercard cards, but they do not appear to be affected. The attack only works against devices that use Apple Pay and Visa — the attack does not work if Apple Pay is used, for instance, with Mastercard cards.
Users who believe they are at risk can prevent potential attacks by disabling the transit mode if they use Apple Pay with a Visa card.