Apple Pay security flaw allows hackers to steal your money when your iPhone is locked
Researchers in the UK have discovered a flaw in Apple Pay that allows hackers to make unauthorized contactless payments from your iPhone. The researchers from the University of Birmingham and the University of Surrey published a paper on Thursday describing the method by which this flaw can be exploited. Hackers can even bypass the lock screen of an iPhone with this method.
The Express Transit feature that Apple first introduced in iOS 12.3 appears to be the culprit behind the vulnerability. With Express Transit, you can quickly pay for rides on public transportation with a card in the Wallet app. As Apple notes on this support page, you don’t have to validate with Face ID, Touch ID, or a passcode. Express Transit is meant to be convenient, but it’s also key to this exploit.
As the researchers explain, ticket readers transmit a non-standard sequence of bytes that are capable of bypassing the iPhone lock screen. They refer to these as “magic bytes” in their research paper. This allows Express Transit (and similar features on other devices) to function. Apple Pay checks to see if all the requirements are met, and if they are, it processes the payment.