At the Black Hat USA hacking conference, security researchers from Positive Technologies announced to have devised two distinct attacks against ApplePay exploiting weaknesses in the mobile payment method.
ApplePay is considered today one of the most secure payment systems, but Positive Technologies claimed it had discovered two potential attack vectors.
“With wireless payments – PayPass, ApplePay, SamsungPay, etc, there is a perception that ApplePay is one of the most secure systems. ApplePay’s security measures mean that it has a separate microprocessor for payments [Secure Enclave], card data is not stored on the device nor is it transmitted in plaintext during payments.” said Timur Yunusov, head of banking security for Positive Technologies.
“During testing, I have discovered at least two methods that render these precautions worthless. While one relies on the device being jailbroken, which is estimated at 20 percent* and is a practice that the security community opposes, another is against a device that is ‘intact.’ Attackers can either register stolen card details to their own iPhone account, or they can intercept the SSL traffic between the device and the Apple Server to make fraudulent payments directly from the victim’s phone.”
A first attack presented in a talk by Yunusov requires a jailbroken device to work, this means that attackers have to infect a jailbroken device with malware. Once infected the mobile, the attackers can intercept the payment data to an Apple server. Once hackers have successfully infected the device with malware having root privileges, they have reached their goal.
The second attack doesn’t request a jailbroken because hackers intercept and/or manipulate SSL transaction traffic. The attackers tamper with transaction data, for example by changing the amount or currency being paid or the delivery details for the goods being ordered.
Attackers can register stolen card details to their own iPhone account to make payments on behalf of the victims, they can intercept the SSL traffic between the device and the Apple Server to make fraudulent payments.
“The first step in the second attack is for hackers to steal the payment token from a [targeted] victim’s phone. To do that, they will use public Wi‑Fi, or offer their own ‘fake’ Wi‑Fi hotspot, and request users create a profile. From this point they can steal the ApplePay cryptogram [the key to encrypting the data].Apple states that the cryptogram should only be used once. However, merchants and payment gateways are often set up to allow cryptograms to be used more than once.” Positive Technologies explained to El Reg.
“As the delivery information is sent in cleartext, without checking its integrity, hackers can use an intercepted cryptogram to make subsequent payments on the same website, with the victim charged for these transactions.”
The experts highlighted that there are some limitations to the attack, for example, the victim will receive a notification about the transaction as soon as it is made, this means that they can immediately block their card.
Researchers recommend to avoid using ApplePay to purchase items online on websites that don’t use the “https” and to avoid making transactions in public Wi‑Fi networks where the attackers can easily eavesdrop the traffic.
“The advice, as always, is to avoid jailbreaking a device in the first instance,” said Yunusov who added, “Another precaution is for users to avoid downloading unnecessary applications which will help prevent malware from being added to the device.”
Positive Technology already reported its findings to Apple, but it warns that the development of patches will be no simple due to the significant impact on any components of the security chain.
(Security Affairs – (ApplePay hacking, Black Hat 2017)