British computer scientists have discovered a way to remotely hijack contactless Visa payments on an iPhone that has been locked. The proper delivery of the exploit could allow a skilled hacker to conduct large-scale financial transactions through the locked device without ever touching it or even being near it.
Researchers from the Universities of Birmingham and Surrey discovered the exploit, which takes advantage of “Express Transit,” an Apple Pay feature for commuters. The “Express” feature, which allows users to make quick, contactless Visa payments at ticket barriers and other travel kiosks, essentially allows you to stick your locked phone out the car window, pay, and drive.
The attack that takes advantage of this useful application is admittedly complex and difficult to follow, but in theory, you can imagine it being used in some sort of high-stakes, cyber-heist scenario—possibly one targeting a wealthy individual.
This is how it works: A small piece of “commercially available” radio equipment is placed near the phone, fooling it into thinking it is facing a ticket barrier (researchers don’t say what the equipment is, presumably because they don’t want people to try this at home). The researchers then run an application on an Android phone to reroute signals from the iPhone to a real contactless payment terminal—presumably one at a safe distance and controlled by the criminals. The phone’s communication with the payment terminal can then be manipulated, fooling it into believing that transactions have been authorized.
While this may appear to be a complicated method, researchers were apparently able to use it to make a £1,000 payment using a locked iPhone. They also tried a similar attack on Samsung Pay and Mastercard but were unable to replicate it with those systems.
For the time being, this is more of a theoretical threat than a real one. When contacted for comment, a Visa representative stated that an attack of this nature would most likely fail outside of a lab.
“Visa cards linked to Apple Pay Express Transit are safe, and cardholders can continue to use them with confidence.” Contactless fraud schemes have been studied in laboratories for more than a decade and have proven to be impractical to execute at scale in the real world,” said a company representative. “Visa takes all security threats seriously, and we work tirelessly to improve payment security across the ecosystem.”
According to an Apple spokesperson, “Visa does not believe this type of fraud is likely to occur in the real world given the multiple layers of security in place.”
Researchers appear to agree with this assessment for the most part, though they believe that such exploits could become a real threat in the future. The attack “has some technical complexity,” according to Dr. Andreea Radu of the University of Birmingham, who added that “in a few years, these [attacks] may become a real issue.”
However, another researcher, Dr. Tom Chothia, of the University of Birmingham, told the outlet that iPhone owners who have a Visa card set up with Apple Pay should disable it. “There is no need for Apple Pay users to be in danger, but until Apple or Visa fix this they are,” he said.