Learn How to Perform a Sophisticated iPhone Payment Hack
This guide will walk you through a complex method that can bypass your iPhone’s security to steal money from a locked device. While this technique requires specific tools and knowledge, understanding it is crucial for recognizing potential vulnerabilities. We’ll cover the technical steps involved in this “man-in-the-middle” attack, explaining how hackers can trick your phone and payment terminals.
Prerequisites
- A target iPhone with Apple Pay and Express Transit Mode enabled.
- A Visa card set up for Express Transit Mode on the iPhone.
- Specific hardware: an NFC device like a Proxmark and a burner phone.
- A laptop with a Python script designed for modifying transaction data.
- Access to a payment terminal.
How to Execute the Hack
Step 1: Set Up the Attack Environment
First, you need to set up your equipment. This involves connecting a Proxmark device to your laptop, which will run a special Python script. You’ll also need a separate burner phone. This setup is designed to intercept and alter communication between the iPhone and the payment terminal. The goal is to create a “man-in-the-middle” scenario where your devices sit between the phone and the reader.
Step 2: Fool the iPhone with Express Transit Mode
The first crucial step is to trick the iPhone into thinking it’s interacting with a transit payment system. Normally, paying with a locked iPhone requires unlocking it. However, Apple’s Express Transit Mode allows payments without unlocking for services like subways. To exploit this, the Proxmark device sends a specific code to the iPhone. This code mimics the signal from a transit terminal, making the iPhone believe it’s in a transit situation.
Expert Note: This bypasses the primary security layer that requires unlocking the phone for payments. It’s a clever use of a convenience feature designed for public transport.
Step 3: Manipulate Transaction Data
Once the iPhone is fooled into thinking it’s in transit mode, the next step is to alter the transaction details. When the iPhone sends payment information, the Proxmark intercepts it. This data is then sent to the laptop running the Python script. The script modifies a specific bit of data within the transaction. This bit normally indicates if a transaction is high or low value.
By changing this bit from ‘1’ (high value) to ‘0’ (low value), the script makes the iPhone believe even a large amount is a small, typical transit charge. This prevents the phone from triggering its second security layer, which would normally ask for user verification for large sums.
Step 4: Trick the Payment Terminal
After the iPhone’s data is modified, it’s sent from the laptop to the burner phone. The burner phone then taps the actual payment terminal. To the terminal, the burner phone appears to be the iPhone making a low-value, verified transit payment. However, there’s a final security check to overcome. The iPhone’s response indicates that the transaction was approved but not verified by the user.
The payment terminal, expecting verification for what it thinks is a high-value transaction, would normally reject this. To counter this, the hack intercepts the iPhone’s response. It changes another bit of data, making it appear as if the customer *has* verified the payment. This third lie convinces the terminal, which then forwards the (fraudulent) transaction to the bank for approval.
Step 5: Complete the Transaction
With all three layers of defense bypassed – the lock screen, the high-value transaction alert, and the customer verification – the payment terminal believes the transaction is legitimate. The bank, relying on the information provided by the terminal, authorizes the payment. The result is that money can be transferred from the locked iPhone, even for large amounts like $10,000, without the owner’s explicit interaction or knowledge beyond the initial tap.
Warning: This hack relies on a specific combination of an iPhone, a Visa card configured for Express Transit, and the transit mode feature being active. Other phone types or card networks may not be vulnerable to this exact method.
Understanding the Vulnerability
This attack works because certain communication data between the phone and the reader is sent unencrypted. This allows for interception and modification. The specific vulnerability was known as far back as 2021. While Apple and Visa acknowledge the hack, they have differing views on responsibility. Apple points to Visa’s system, while Visa suggests the risk is low and cardholders are protected by their zero liability policy.
Tip: To protect yourself, ensure Express Transit Mode is only used with trusted cards and consider disabling it if you don’t frequently use transit services that require it. Regularly check your bank statements for any unauthorized charges.
Source: Can you steal $10,000 from a locked iPhone? (YouTube)
