A YouTube channel collaborated with two cybersecurity experts to explain how Apple’s Tap-to-Pay vulnerability from 2021 can still be exploited.
Apple's Express Transit Mode was launched in 2019
Photo Credit: Pexels/ cottonbro studio
Apple promises high levels of security and privacy to its users. However, a YouTuber has now demonstrated a vulnerability related to Apple's tap-to-pay feature, which could let a bad actor drain an iPhone user's bank account without ever unlocking their handset. This particular vulnerability, dubbed “Man in the Middle” hack, uses a series of devices to fool an iPhone model's NFC into thinking that it is being tapped on a point-of-sale (PoS) device or a transit terminal. The YouTuber collaborated with two cybersecurity experts to demonstrate how the issue can be exploited, which was first reportedly discovered five years ago.
In a new video on the YouTube channel Veritasium, Henry van Dyck demonstrates how a vulnerability, which was reportedly discovered in 2021, can be exploited to steal money from a locked iPhone. To show the same, he executes a transaction from a locked iPhone belonging to tech YouTuber Marques Brownlee, commonly known as MKBHD. At the start of the video, he places the handset on a device called “Proxmark”, a third-party NFC reader, which is plugged into a laptop.
The iPhone purportedly exchanged transaction information with Proxmark when placed on it, which was relayed to the laptop. The transaction data is then modified on the desktop using a Python script. The laptop then relays the modified data to another handset. When this second phone is tapped on a PoS device, the device and the iPhone are fooled into believing that the two are communicating with each other directly, resulting in a successful transfer of funds from the phone.
The YouTuber was able to steal $10,000 (roughly Rs. 9,33,000) from Brownlee's iPhone 17 Pro without even touching the handset or unlocking it. The YouTube channel collaborated with cybersecurity experts and university professors, Ioana Boureanu and Tom Chothia, who explained that this was possible because of a known vulnerability in Apple's Express Transit Mode, which lets users make payments at various transit terminals placed in city buses and subway stations without unlocking their smartphones.
They also warned that there is no limit on how much money can be stolen from a user's account by exploiting this vulnerability. They said, “The limit is how much money the person has in his or her bank account. Going into details, the professors highlighted that when an iPhone is tapped at a transit terminal, it exchanges a code with Apple's tap-to-pay function to authenticate the transaction. Then, it identifies the transit card to successfully transfer the funds. However, this exploit can only be used with a Visa transit card, owing to the verification used by the payment gateway company.
However, the video shows that this code can be accessed and broadcast to a third-party device using Proxmark or similar devices. But the iPhone also expects to receive a unique code in exchange, which is written in binary. At the end of the first binary message, the digit should say “1”, which is used for offline data authentication for online transactions.
However, a typical PoS device usually reverts with this particular value set to “0”. Hence, a bad actor can intercept this message and modify the value to trick the iPhone into believing that it is communicating with an authenticated transit terminal.
Similarly, this binary code can also be modified to trick the iPhone into believing that the transaction is of a lower value, eliminating the need for it to be manually authenticated through facial or fingerprint biometrics. On the other hand, the code is again modified using a Python script to fool the PoS device into believing that the customer has provided biometric approval.
The YouTuber says that Apple left transit ‘magic bytes' and EMV flags, that are used between PoS devices or transit terminals and an iPhone, unencrypted on purpose. He added that this is because the tap-to-pay feature is used across different types of readers and in multiple locations, making it a difficult task.
The channel also reached out to Apple for a comment, to which the Cupertino-based tech giant replied, “This is a concern with a Visa system.” Further, the company told the YouTube channel that Visa “does not believe” that such a fraud can take place “in the real world”, and that its customers are covered under Visa's zero liability policy.
Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.