Can you steal $10,000 from a locked iPhone?

The video demonstrates a unique hack that allows money to be stolen from a locked iPhone using its mobile wallet, specifically targeting Apple Pay with a Visa card in Express Transit Mode. The hack was developed by cybersecurity experts Professors Ioana Boureanu and Tom Chothia from the University of Surrey and was first made public in 2021, yet the loophole remains unaddressed. The demonstration begins with the host, Henry, attempting to steal money from MKBHD's (Marques Brownlee's) locked iPhone. Initially, Henry charges $5 from Marques's phone using a regular payment terminal while the phone is locked and placed on a device. The transaction is approved without any interaction from Marques, who immediately sees a $5 charge on his phone. Henry then escalates the attempt to $10,000, which is also successfully approved and charged to Marques's account, again without any verification or unlocking of the phone. This highlights the severity of the vulnerability, as the only limit to the amount that can be stolen is the cardholder's bank account limit. The mechanism behind this "man-in-the-middle" attack involves intercepting and altering the communication between the iPhone and a payment reader. When using "Tap to Pay," the phone and reader exchange information via a shared magnetic field. The hackers insert their own devices – a Proxmark NFC device, a laptop running a Python script, and a burner phone – between the iPhone and the payment reader. The attack proceeds in three stages, involving three "lies" to bypass security layers: 1. **Bypassing the Lock Screen (First Lie):** The first defense layer is the locked phone, which normally requires unlocking for a transaction. However, Apple introduced "Express Transit Mode" in 2019, allowing users to make transit payments without unlocking their phone. Transit terminals broadcast a specific message identifying them as such. The Proxmark device is used to broadcast this same code, tricking the iPhone into believing it's interacting with a transit reader. When the phone sends transaction data, it expects details about a transit transaction. The payment reader, however, is a retail reader. A crucial bit in the binary transaction message indicates whether the reader might be offline (e.g., underground). For a transit transaction, this bit should be '1' (offline possible), but for an online retail reader, it's '0'. The Python script intercepts the message from the retail reader and changes this '0' to a '1', making the phone believe it's communicating with an offline transit terminal. This bypasses the need to unlock the phone for small "transit-like" payments. 2. **Bypassing Customer Verification for High Value Transactions (Second Lie):** With the first lie, small payments can be made, but a $10,000 transaction would trigger a second defense layer: customer verification. Contactless payments are categorized as "high value" or "low value," with high-value transactions requiring a PIN, fingerprint, or facial recognition (e.g., over £100 in the UK). To make the $10,000 transaction appear low value, the hack exploits how the iPhone determines transaction value. Instead of checking the numerical amount, the iPhone looks at a single bit in the transaction data: '1' for high value, '0' for low value. This flexibility accounts for varying limits and currencies across countries. The Python script intercepts the message from the reader and flips this bit from '1' to '0'. The phone then incorrectly perceives the $10,000 transaction as low value and authorizes it without asking for customer verification. 3. **Convincing the Reader the Transaction is Verified (Third Lie):** After the phone approves the $10,000 transaction, its reply indicates that no customer verification was performed. The payment reader would normally reject a high-value transaction without verification. To circumvent this, the hack intercepts the phone's response and changes the bit indicating "no customer verification" to "payment verified" (flipping '0' to '1'). The reader then accepts the transaction as valid and forwards it to the bank, which authorizes the payment because it sees a customer-verified transaction. The reason this data manipulation is possible is that much of the transaction information is sent unencrypted to maintain compatibility across thousands of devices. While phones, readers, and banks have checks in place, a specific combination of phone and card creates a loophole. The hack specifically requires: * **An iPhone:** iPhones rely on the "low value" label from the reader to determine if verification is needed, unlike Samsung phones, which check the actual numerical value and would reject a $10,000 transit transaction. * **A Visa card in the transit slot:** This vulnerability is a "design feature" resulting from the interaction between Apple and Visa. MasterCard transactions always include a second, asymmetric layer of security between the card and the reader, which would detect the modified data. Visa, however, only requires this asymmetric signature in specific situations, such as when the reader is offline. During the attack, the retail reader is kept online, so it doesn't bother with this asymmetric security check, even though the phone (tricked into thinking it's a transit reader) *does* send an asymmetric signature. This signature, if checked by the reader, would reveal the hack because it would be for a low-value transit transaction, not the high-value retail transaction the reader expects. The professors revealed this vulnerability to Apple and Visa privately in 2021. Apple's response states it's a "concern with the Visa system," but Visa "does not believe this kind of fraud is likely to take place in the real world" and emphasizes their "zero liability policy" to protect cardholders. Visa reiterated this stance, arguing that the vulnerability is unlikely to scale to real-world fraud, and consumers can dispute unauthorized transactions. The video questions whether relying on refunds after the fact is sufficient, given the potential stress and disruption caused by large unauthorized transactions. It suggests that, like airlines meticulously analyzing crashes to prevent recurrence, payment systems handling millions of lives should aim for technical solutions to prevent such fraud rather than merely compensating victims. To avoid this specific hack, users can turn off Express Transit Mode or ensure they do not have a Visa card enabled for Express Transit on their Apple device. Express Transit Mode is often enabled by default when a suitable card is added to an Apple wallet.