Share
Cybersecurity researchers have demonstrated a sophisticated exploit that allows thieves to siphon thousands of pounds from a locked iPhone, bypassing the usual biometric security checks.
The vulnerability, which targets Apple’s “Express Transit” (Express Travel) feature, was showcased in a dramatic demonstration by the popular YouTube channel Veritasium (see video above), where $10,000 was successfully “stolen” from YouTuber Marques Brownlee (MKBHD) while his phone remained securely locked in his hand.
The exploit was originally discovered in 2021 by researchers from the University of Surrey and the University of Birmingham, including Professor Ioana Boureanu and Dr. Tom Chothia. It relies on a “man-in-the-middle” attack using simple radio equipment.
By broadcasting a specific code, dubbed “magic bytes”, the attackers trick the iPhone into believing it is being tapped against a subway turnstile. Because Express Transit is designed for speed, it processes these transactions without requiring FaceID, TouchID, or a passcode.
The Three-Layer Lie
To move from a small subway fare to a high-value theft, the attackers must tell “three lies” to the hardware. First, they convince the iPhone it is at a transit gate. Second, they modify the transaction data so the iPhone believes a $10,000 charge is actually a “low-value” transaction that doesn’t need verification. Finally, they lie to the actual payment terminal, flipping a bit of data to say that the user has verified the payment on their device.
The exploit is highly specific. It only works with the combination of an iPhone and a Visa card. Samsung Pay is unaffected because it checks the actual numerical value of a transaction rather than just a “low-value” label. Similarly, Mastercard is immune because it requires an additional layer of asymmetric cryptography that would detect the data tampering.
How to Protect Yourself
While Visa and Apple downplay the risk – Visa told Veritasium the exploit is “unlikely from a scaled real-world setting” – the threat is real if your phone is stolen or if a thief gets close enough to your pocket with a reader. To protect your funds, experts recommend the following steps:
-
Audit Your Wallet: Go to Settings > Wallet & Apple Pay > Express Travel Card. Check if a card is selected.
-
Switch Your Travel Card: If you use Express Travel, ensure the default card is a Mastercard or an American Express, as the vulnerability specifically affects Visa cards.
-
Disable the Feature: If you don’t mind the extra second it takes to use FaceID at a turnstile, set your Express Transit Card to “None.”
-
Use “Lost Mode”: If your iPhone is stolen, immediately use the Find My app to put it in Lost Mode, which suspends Apple Pay.
As Dr. Tom Chothia warned in the University’s research report: “iPhone owners should check if they have a Visa card set up for transit payments and if so they should disable it. There is no need for Apple Pay users to be in danger but until Apple or Visa fix this they are.”
Related Posts
Discover more from Tech Digest
Subscribe to get the latest posts sent to your email.