Key Moments
Can you steal $10,000 from a locked iPhone?
VeritasiumKey Moments
A hidden loophole in Apple's 'Express Transit' mode combined with Visa cards can allow hackers to steal thousands from locked iPhones, despite security checks. The fix is simple but requires user action.
Key Insights
A 'man-in-the-middle' attack can intercept and alter communication between an iPhone and a payment terminal, bypassing security measures on a locked phone.
Three layers of defense can be bypassed: tricking the phone into thinking it's a transit reader (using a broadcasted code), falsely labeling a $10,000 transaction as 'low value', and falsely confirming customer verification to the reader.
The exploit requires a specific combination: an iPhone with 'Express Transit' mode enabled and a Visa card slotted for transit payments, which bypasses Mastercard's more robust security protocols.
While Apple points to Visa as the issue and Visa claims the fraud is unlikely and covered by zero liability, the loophole, discovered in 2021, remains unfixed.
The hack was demonstrated successfully on MKBHD, the author, and a channel CFO, with amounts up to $10,000 being transferred without the phone being unlocked.
The primary defense for users is to disable 'Express Transit' mode or remove the Visa card from that slot on their iPhone.
Demonstrating the hack: $10,000 stolen from a locked iPhone
The video begins with a dramatic demonstration where MKBHD's locked iPhone is used to make a $5 payment, followed by a $10,000 transaction, all without him unlocking his phone. The process involved placing the locked iPhone on a payment terminal device. This initial success immediately raises alarm, as it bypasses standard security protocols requiring phone unlocking for purchases. The subsequent $10,000 transfer, which was approved and timestamped, underscores the severity of the vulnerability, even though MKBHD's card limit might have allowed it. The demonstration highlights how a physical device, coupled with specific software, can trick the phone into authorizing transactions, creating a sense of unease given the perceived security of modern smartphones.
The underlying mechanism: A sophisticated man-in-the-middle attack
The hack is explained by cybersecurity experts as a 'man-in-the-middle' attack. It involves intercepting the communication between the iPhone and the legitimate payment reader. This is achieved using a 'ProxMark' device, which masquerades as a card reader to the phone, and a burner phone, which acts as the actual reader to the terminal. The data exchanged between the iPhone and the reader is routed through a laptop, where a Python script modifies it. This manipulation allows the attacker to lie to both the phone and the reader, circumventing security checks. The core principle is to insert intermediate devices that relay and alter the transaction data, creating a false sense of legitimacy for both parties involved.
Bypassing the first layer: Exploiting 'Express Transit' mode
The first critical defense bypassed is the need to unlock the phone. This is achieved by exploiting Apple's 'Express Transit' mode, introduced in 2019. This feature allows users to make transit payments without unlocking their phones by recognizing signals from transit terminals. The hack abuses this by using the ProxMark device to broadcast a similar signal, fooling the iPhone into believing it's interacting with a transit reader. Normally, when a phone taps a reader, they exchange authentication data. However, to bypass this, the hack manipulates a specific bit of binary code within the transaction data. An authentic transit transaction would normally have a '1' in a specific bit to indicate the reader might be offline, prompting potential extra authentication. The attackers change this bit from a '0' (indicating an online reader) to a '1', tricking the iPhone into proceeding as if it were a legitimate transit transaction, even though the actual reader is online. This first lie effectively disables the requirement to unlock the phone for payment.
Overcoming high-value transaction limits
The second lie targets the phone's defense against high-value transactions. In contactless payments, transactions are categorized as either 'high value' or 'low value.' High-value transactions typically require additional customer verification like a PIN, fingerprint, or facial recognition. For example, in the UK, transactions over £100 often trigger this. To bypass this, the attackers need to trick the iPhone into classifying their $10,000 transaction as 'low value.' They achieve this by manipulating another single bit of information in the transaction data. Instead of sending a '1' to indicate 'high value,' they send a '0,' signaling 'low value.' This works because the boundary between high and low value varies by country and currency, making a simple label more flexible than a fixed numerical threshold. By changing this bit, the phone is tricked into authorizing a massive sum without asking for any form of user verification, as it believes the amount is within acceptable 'low value' limits for a transit transaction.
The final deception: Tricking the payment reader
The third lie is directed at the payment reader itself. After the phone has been tricked into authorizing a $10,000 'low value' transaction without verification, it sends back an approval message. However, this message implicitly states that no customer verification was performed. If the reader were to check this against its initial request for a high-value transaction, it would detect a discrepancy and reject the payment. To counter this, the attackers intercept the phone's response. They locate the bit of data that indicates 'customer verification hasn't been done' (typically a '0') and flip it to a '1', signaling that verification has occurred. This satisfies the reader, which then forwards the information to the bank for authorization. The bank, receiving what appears to be a verified transaction, approves it, completing the theft.
Specific vulnerabilities: iPhone, Visa, and transit mode
This hack relies on a specific confluence of technologies. Firstly, it requires an iPhone. Unlike some other phone operating systems, iPhones, in transit mode, do not check the numerical value of the transaction when presented with a transit terminal signal; they rely on a 'low value' label. For instance, a Samsung phone in transit mode would only accept a $0 transaction, flagging any larger amount as suspicious. Secondly, the hack necessitates a Visa card configured for 'Express Transit' mode. This combination is crucial because of how Apple and Visa handle transaction verification. While Mastercard always requires a second layer of security using asymmetric cryptography, which would detect the data tampering, Visa does not always enforce this, especially in transit scenarios where readers might be offline. The system's unencrypted data exchange further simplifies the interception and modification process.
The response from Apple and Visa: Denial and defensiveness
Despite the hack being public knowledge since 2021, both Apple and Visa have been slow to implement comprehensive fixes. Apple redirected blame to Visa, citing concerns with the Visa system. Visa, conversely, characterized the hack as unlikely to occur on a large scale and emphasized their zero liability policy, which protects cardholders from fraudulent charges. They argue that network-level defenses are sufficient, pointing out that only about 2 cents per $100 in in-person transactions are lost to fraud. While acknowledging the existence of fraud, they maintain it's not endemic and that consumers can dispute transactions. This stance has drawn criticism for not committing to technical changes that would fundamentally prevent such vulnerabilities.
Preventing the hack: Simple user actions
While industry giants debate responsibility and scale, the solution for individual users is remarkably simple: disable 'Express Transit' mode on iPhones or, at the very least, do not have a Visa card designated for transit payments in that slot. The video notes that 'Express Transit' with a suitable card is often enabled by default. By turning this feature off or removing the card, users can effectively eliminate this specific attack vector. The author draws an analogy to air travel safety, where even rare incidents are rigorously investigated to prevent recurrence, suggesting that financial institutions should aim for more than just a refund policy when such clear vulnerabilities exist.
Mentioned in This Episode
●Software & Apps
●Companies
●Organizations
●Concepts
●People Referenced
Securing Your iPhone Against Payment Hacks
Practical takeaways from this episode
Do This
Avoid This
Common Questions
Yes, a specific hack exploits Apple's Express Transit mode and certain Visa card configurations to authorize transactions on a locked iPhone without requiring the passcode or biometric verification.
Topics
Mentioned in this video
The company whose iPhones are vulnerable to the described hack, particularly due to their Express Transit mode feature.
A company whose phones have a different security mechanism for transit mode, making them less vulnerable to this specific hack.
A payment network whose verification process, particularly the lack of mandatory asymmetric cryptography in certain scenarios, enables this hack.
A payment network that uses asymmetric cryptography, which would typically thwart this specific hack, unlike Visa in this scenario.
A sponsor of the video that helps users protect their personal information from data brokers.
The YouTube channel whose work trip inspired a personal anecdote about a phishing scam.
More from Veritasium
View all 94 summaries
59 minWhy Is CERN Making Antimatter?
29 minThe Secret Spy Tech Inside Every Credit Card
21 minMaking A Giant Zipper To Explain How It Works
26 minThe Obvious Problem That No One Can Agree On
Found this useful? Build your knowledge library
Get AI-powered summaries of any YouTube video, podcast, or article in seconds. Save them to your personal pods and access them anytime.
Get Started Free