Researchers find locked iPhones can be hacked through payment system
UK computer scientists have discovered a way to remotely hijack Visa contactless payments on a locked iPhone. Proper delivery of the exploit could allow a savvy hacker to make important financial transactions through the locked device without ever touching or even being nearby.
The exploit was discovered by researchers at the University of Birmingham and the University of Surrey and takes advantage of “Express transit”, An Apple Pay feature for commuters, the bbc reports. “Express,” which allows users to make quick, contactless Visa payments at ticket gates and other travel kiosks, essentially lets you stick your locked phone out the car window, pay, and go.
The attack, which exploits this useful app, is admittedly quite complex and a bit difficult to track, but in theory you can imagine it being used in some sort of high-stakes cyber-burglary-type scenario – potentially a targeting a wealthy individual.
It works roughly like this: a small “off-the-shelf” radio piece of equipment is placed near the phone, causing the device to believe that it is facing a ticket barrier (the researchers do not explicitly say what this is, probably because they don’t I don’t want people to try this at home). Next, an application developed by the researchers is run on an Android phone and used to redirect the signals from the iPhone to a real contactless payment terminal, presumably at a safe distance and controlled by criminals. From there, the phone’s communication with the payment terminal can be impaired, causing it to believe that transactions have been authorized.
While this all sounds really complicated, the researchers apparently were able to use this method to make a payment of £1,000 using a locked iPhone. They also tested a similar attack on Samsung Pay and Mastercard but found that it could not be replicated with these systems.
For now, this is more of a hypothetical threat than a real one. When contacted for comment, a representative from Visa told Gizmodo that such an attack is unlikely to work outside of a lab.
“Visa cards connected to Apple Pay Express Transit are secure and cardholders should continue to use them with confidence. Variations in contactless fraud patterns have been studied in the lab for over a decade and have proven impractical to perform on a large scale in the real world, ”said the company representative. “Visa takes all security threats very seriously and we work tirelessly to strengthen payment security across the ecosystem. “
An Apple spokesperson also told Gizmodo that “Visa does not believe this type of fraud is likely to occur in the real world given the multiple layers of security in place.”
For the most part, researchers seem to agree with this assessment, although they believe exploits like this could become a real threat in the future. The attack “has a certain technical complexity”, Dr Andreea Radu, University of Birmingham, told the BBC, while noting that, “in a few years, these [attacks] could become a real problem.
However, another researcher, Dr. Tom Chothia, of the University of Birmingham, told the outlet that iPhone owners who have a Visa card set up with Apple Pay should deactivate it. “Apple Pay users don’t need to be in danger, but until Apple or Visa fixes this problem, they are,” he said.