Hackers can bypass the locked screen and make contactless payments

30TH SEPTEMBER 2021- A flaw in the Apple Pay feature which enables its users to have their Visa card set up in a transit mode can be bypassed, enabling hackers to make unlimited transactions from locked iPhones.   

In a conjoined effort between the University of Birmingham and the University of Surry, a paper named ‘Practical EMV Relay Protection’ outlines how a hacker can exploit a sequence of underlying vulnerabilities in Apple Pay and Visa. The hacker will be able to successfully carry out the attack even if their target’s phone is in their bag.  

Typically, users who wish to complete a payment are required to authenticate the transaction by using the iPhone’s in-built biometric features. This can be either a fingerprint scan, facial recognition, or a pin code, in an effort to reduce the likelihood of a relay attack from occurring. However, in May 2019, Apple put forth the Express Transit feature which enabled Apple customers to use Apple Pay without unlocking the phone. This feature was designed to speed up payment at ticket barriers in transport areas.  

Regarding the attack method it is described in the research paper that ‘this feature can be leveraged to bypass the Apple Pay lock screen, and illicitly pay from a locked iPhone, using a Visa card, to any EMV reader, for any amount, without user authorization.’  

The attack is classified as a MitM (man-in-the-middle) replay and relay attack. This attack can be carried out if the Visa card payment option is enabled with the “Express Travel” turned on. If the target is in close vicinity to the hacker, the hacker will be successful in completing the fraudulent transaction. 

The attack was demonstrated by: 

• Placing a small, commercially available radio near the iPhone to trick it into believing it is communicating with a transport ticket barrier. 
• During this, an android phone running the application developed by the researcher relayed signals from the targeted iPhone to a contactless payment terminal. 
• The iPhone did not need to be unlocked as it believed it was transmitting to a ticket barrier. 
• The iPhone’s transmission could then be modified into thinking the iPhone has been unlocked and authorised, enabling higher amounts of transactions to be taken without a PIN, facial recognition, or fingerprint.  

The demonstration conducted by the researcher was successful, in which £1,000 was taken out during the transaction. 

The researchers were also successful in bypassing Visa’s in-built safety customs for Android phones, the customs which are designed to impede relay attacks targeting installed payment cards. However, with Samsung Pay, researchers found no issue. The security methods in place for Mastercard prevented the demonstrated hack from being successful.   

Apple and Visa have been alerted concerning the outlined security gaps. Both companies have yet to settle which company is responsible for conducting the required repairs. 

Simultaneously, users are being asked to refrain from using Visa cards set up with the Express Transit mode whilst using Apple Pay. Furthermore, Dr Tom Chothia who is with University of Birmingham stated that iPhone users who have set up a Visa card for transit payments should disable it.