Hackers Steal $10,000 from Locked iPhone

Hackers Steal $10,000 from Locked iPhone

Imagine this: your iPhone is locked, tucked away in your pocket, yet someone can somehow take thousands of dollars from it without you even knowing. This isn’t science fiction; it’s a real security flaw that cybersecurity experts have demonstrated, and it’s concerning that it’s still possible.

Researchers have shown how a clever hack can bypass an iPhone’s lock screen and drain money from its mobile wallet, even when the phone is completely locked. The scary part is that this vulnerability has been known for years, yet it remains unfixed.

The ‘Tap to Pay’ Vulnerability

The hack works by exploiting a feature called ‘Tap to Pay,’ which allows phones to make payments by simply tapping them on a payment terminal. When your phone and a payment reader communicate, they send information back and forth through the air using a magnetic field. This hack intercepts that communication and changes it.

Here’s how it works: a hacker uses a special device, like a Proxmark, to act as a fake payment reader. Your iPhone sees this device and thinks it’s a legitimate reader, sending it transaction data. This data is then sent to a laptop where a script modifies it. Finally, the modified data is sent to a real payment terminal, making it look like your phone is communicating directly with the reader.

Tricking the Defenses

To successfully steal money, hackers need to trick the phone and the payment system through three layers of defense. This involves telling three ‘lies’ to the systems involved.

Lie 1: Bypassing the Lock Screen

Normally, you have to unlock your phone to make a payment. However, iPhones have a feature called ‘Express Transit Mode,’ which allows payments for things like subway rides without needing to unlock the phone. This mode is designed for convenience, letting users tap and go quickly.

The hack abuses this by making the iPhone think it’s interacting with a transit terminal. The researchers found a specific code that transit terminals broadcast. By sending this code, they fool the iPhone into believing it’s a transit transaction, bypassing the need to unlock it for small payments.

Lie 2: Disguising Large Payments

Even with the lock screen bypassed, a $10,000 transaction would normally trigger a ‘customer verification’ step. This means your phone would ask for a PIN, fingerprint, or face scan. The hack overcomes this by tricking the iPhone into thinking the large payment is a ‘low value’ transaction.

Instead of looking at the actual amount, the iPhone checks a simple label in the data. By changing this label from ‘high value’ to ‘low value,’ the hack makes the phone authorize the $10,000 payment without asking for any extra confirmation. This works because the definition of ‘high’ and ‘low’ value can change between countries and currencies.

Lie 3: Fooling the Payment Reader

The final step is to convince the actual payment reader that the transaction is legitimate. When the iPhone approves the $10,000 payment, it also states that no customer verification was done. If the reader sees this, it would normally reject the payment because it knows $10,000 is a high-value transaction that requires verification.

To get around this, the hack intercepts the iPhone’s response. It changes the information to say that customer verification *was* completed. The reader then believes the transaction is valid and sends it to the bank for approval.

Why It’s Possible and Who’s Responsible?

The reason this data is so easy to tamper with is that some of the communication between the phone and the reader is sent without encryption. This is partly to ensure compatibility with many different devices.

This specific hack relies on a combination of an iPhone and a Visa card set up for ‘Express Transit Mode.’ Other phones, like Samsung, do not have this vulnerability because they check the actual transaction amount, not just a label, and would reject a $10,000 transit payment.

Apple points the finger at Visa, stating the vulnerability lies within Visa’s system. Visa, however, believes this type of fraud is unlikely to happen on a large scale and that cardholders are protected by their zero liability policy. They emphasize that while fraud exists, their systems are designed to catch most attempts, and refunds are available.

What Comes Next?

While Visa and Apple debate responsibility, the core issue remains: a known vulnerability that could potentially be exploited. The researchers discovered this hack in 2021 and informed both companies privately. Despite this, the loophole persists.

For consumers, the immediate advice is to avoid setting up a Visa card for ‘Express Transit Mode’ on an iPhone. This feature is often turned on by default when a suitable card is added to the Apple Wallet. While refunds are promised, the stress and potential financial disruption of having thousands of dollars unexpectedly leave your account can be significant.

The experts argue that while refunds are a safety net, the ideal solution is to prevent such fraud from being possible in the first place. The debate highlights the ongoing challenge of balancing security with convenience in our increasingly digital world.

Source: Can you steal $10,000 from a locked iPhone? (YouTube)