Apple’s digital wallet, Apple Pay, will pay its requested amount, without authorization, if it is configured for transit mode with a Visa card and exposed to a hostile contactless reader.
Boffins from the University of Birmingham and the University of Surrey in England managed to find a way to remove the contactless payment limit on iPhones with Apple Pay and Visa cards if “Express Transit” was enabled .
Express Transit mode allows Apple Pay transactions without unlocking an iPhone or requiring authentication. It is designed as a handy feature to ease fees when passing through public transport ticket gates that support contactless readers like Europay, Mastercard, and Visa (EMV).
Our work shows a clear example of a feature … flipping over and negatively impacting safety
“Our work shows a clear example of a feature, intended to gradually make life easier, turning around and having a negative impact on safety, with potentially serious financial consequences for users,” said Dr Andreea-Ina Radu, from the University of Birmingham’s School of Computing, in a statement Thursday.
The researchers involved – Andreea-Ina Radu and Tom Chothia in Birmingham and Ioana Boureanu, Christopher JP Newton and Liqun Chen in Surrey – say they disclosed the flaw to Apple in October 2020 and Visa in May 2021. However, they claim both. companies were unable to cooperate on a fix due to fingering.
“Our discussions with Apple and Visa revealed that when two parts of the industry each have partial responsibility, neither is willing to accept responsibility and implement a fix, leaving users vulnerable indefinitely,” Radu said. .
The research, which will be presented at the 43rd IEEE Security and Privacy Symposium in May 2022, is based on an MITM replay-and-relay attack on iPhones with a Visa card referred to as the “transit card.” In other words, the signaling between the iPhone and the transit payment system is spoofed by a malicious terminal to open Apple’s digital wallet.
“If a non-standard sequence of bytes (Magic Bytes) precedes the standard ISO 14443-A WakeUp command, Apple Pay will consider this a transaction with a transport EMV reader,” the researchers explain in an account of their attack.
Magic Bytes represent a sequence of codes broadcast by transit gates or turnstiles to unlock Apple Pay. What the researchers found after identifying this code with radio equipment was that they could broadcast it with data fields altered to fool properly configured iPhones. By modifying specific fields of the wireless protocol, they can convince vulnerable iPhones to treat a transaction entered into a store-oriented contactless card reader as if it came from a transit gate, where no confirmation is expected.
The manipulation of associated data – setting a bit flag for the cardholder verification method of the consumer’s device – signals to the EMV reader participating in that interaction that the user authentication on the device authorized the amount, which allows transactions exceeding the contactless payment limit without the victim’s knowledge.
The primary requirement for this attack scenario is an active and stolen iPhone configured as described with a Visa card. Researchers say funds could be stolen from a vulnerable iPhone in a victim’s bag, assuming the proximity of necessary hardware can be arranged.
“An attacker only needs a stolen and powered iPhone,” the team wrote. “Transactions could also be relayed from an iPhone inside someone’s bag without their knowledge. The attacker needs no help from the merchant and the fraud detection checks back. -plan didn’t stop any of our test payments. “
Academics have also developed a separate attack on the Visa-L1 protocol, designed as a defense against such relay schemes. Visa-L1, the researchers explain, assumes that the attacker cannot change the UID of a card or mobile phone and that relaying ISO 14443 messages is difficult due to time constraints. These are wrong assumptions.
Visa finds rooting an Android smartphone a difficult process, which requires high technical expertise
“The attack is possible because the security of the protocol relies on a random value sent only to the side of the card, which we can manipulate, and there is no randomization of the EMV reader,” the academics explain.
“The protocol is intended to protect against attackers using unmodified devices, and Visa believes that rooting an Android smartphone is a difficult process, which requires high technical expertise.”
Instead of L1, academics have come up with a new relay-resistant protocol, L1RP, which they claim to have proven through a security protocol verification tool called Tamarin.
Radu et al suggest that while we wait for the response from Apple and Visa, no one should use a Visa card as a transit card in Apple Pay.
Neither Apple nor Visa responded to requests for comment. ®