Featured Image Credit: Veritasium / YouTube
A YouTuber has exposed how easily $10,000 can be stolen from a locked iPhone.
Tech giants have been making huge strides in phone security, like Apple sharing stolen device 'identifiers' with police in phone theft crackdowns, while Google Maps still faces controversy in just how much data it collects from unknowing users.
Now, an experiment from popular YouTube channel Veritasium has exposed a vulnerability suggesting there are still serious gaps in how our digital money is protected, even when our phones are locked and untouched.
The channel invited tech YouTuber Marques Brownlee (better known as MKBHD) to take part in a demonstration that reveals just how exposed contactless payments can be.
Advert
To show how easy it is, MKBHD's locked iPhone was placed on a standard payment terminal as Veritasium host Henry van Dyck processed a $5 charge.
To his utter surprise, the payment went through without a hitch.
"Well that's concerning," the tech expert said after checking his account transactions.
van Dyck then raised the stakes and attempted a whopping $10,000 transaction. MKBHD was sceptical, as a purchase of that size he would normally not use contactless at all, let alone expect Apple Pay to verify it from a locked screen.
However, the phone was placed back on the terminal, and the $10,000 payment was approved.
So how was this possible?
Explaining the process, van Dyck teamed up with two cybersecurity experts, Ioana Boureanu and Tom Chothia, who walked through the mechanics of a Man-in-the-Middle attack.
"Whenever you use Tap to Pay, your phone and the reader exchange information about the transaction," van Dyck explained. "But they send this information through the air by a shared magnetic field," adding that the criminal can 'intercept' the communication and alter the pathway.
By inserting a device between the phone and the reader, attackers can capture that data mid-transfer and manipulate it before it reaches its destination.
In the experiment, the device used was an NFC tool called a Proxmark, which made MKBHD's phone believe it was communicating with a legitimate card reader. The intercepted data was then passed to a laptop, where a Python script modified it before sending it on to a separate burner phone, which was tapped against the actual payment terminal. To the terminal, it appeared as though it was communicating directly with MKBHD's phone the entire time which is why the payment was processed so easily.
The exploit takes advantage of Apple's Express Transit mode, a feature that lets commuters tap their phones on subway readers without unlocking their devices with a PIN or Face ID first.
The experts essentially used the same authentication code that subway terminals rely on to effectively unlock the payment function without any input from the phone's owner.
"The only limit is how much someone has in their bank account," Chothia, one of the cybersecurity experts, noted. The team also warned that this trick can be easily performed on stolen iPhones, as no input is required from the original user.
