British computer scientists have discovered a way to remotely hijack contactless Visa payments on a locked iPhone. Proper delivery of the exploit could allow a savvy hacker to make hefty financial transactions via the locked device without ever touching it or even being nearby.
The exploit was discovered by researchers at the University of Birmingham and the University of Surrey and takes advantage of “Express Transit,” an Apple Pay feature for commuters, the BBC reports. “Express,” which lets users make quick, contactless Visa payments at ticket barriers and other travel kiosks, essentially allows you to stick your locked phone out of the car window, pay, and go.
The attack, which exploits this useful application, is admittedly pretty complex and a little bit hard to follow but, in theory, you can imagine it being used in some sort of high-stakes, cyber-heist type scenario—potentially one targeting a wealthy individual.
It works something like this: A small piece of radio equipment—one that researchers say is “commercially available”—is placed near the phone, and it tricks the phone into believing it is facing a ticket barrier (researchers don’t explicitly say what kind of equipment this is—presumably because they don’t want people to try it at home). Then, an application developed by the researchers is run on an Android phone and used to reroute signals from the iPhone to a real contactless payment terminal—presumably one located at a safe distance away. From there, the phone’s communication with the payment terminal can be altered, thus tricking it into believing that transactions have been authorized.
While that all sounds really complicated, researchers were apparently able to use this method to make a payment of £1,000 using a locked iPhone. They also tested a similar attack on Samsung Pay and Mastercard but found that it could not be replicated with those systems.
For now, this is more of a hypothetical threat than a real one. When reached for comment, a Visa representative told Gizmodo that an attack of this kind would likely not work outside of a lab.
“Visa cards connected to Apple Pay Express Transit are secure and cardholders should continue to use them with confidence. Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world,” said the company representative. “Visa takes all security threats very seriously, and we work tirelessly to strengthen payment security across the ecosystem.”
An Apple spokesperson similarly told Gizmodo that “Visa does not believe this kind of fraud is likely to take place in the real world given the multiple layers of security in place.”
For the most part, researchers seem to agree with this assessment—though they believe that exploits of this kind could become a real threat in the future. The attack “has some technical complexity,” Dr Andreea Radu, of the University of Birmingham, told the BBC, while noting that, “in a few years, these [attacks] might become a real issue.”
However, another researcher, Dr. Tom Chothia, of the University of Birmingham, told the outlet that iPhone owners who have a Visa card set up with this Apple Pay feature should disable it. “There is no need for Apple Pay users to be in danger, but until Apple or Visa fix this they are,” he said.