BlackHat: security researcher says ApplePay vulnerable to two separate attacks

News by Roi Perez

Positive Technologies' Timur Yunusov says ApplePay's security measures mean that on paper it appears to have the perfect defence. But that's not case.

Two separate attacks which can be used against ApplePay, Apple's mobile payment system have been found by a senior researcher at security firm Positive Technologies.

Announced in a session at Blackhat USA 2017, the company said in a release that, while one will require a jailbroken device, the other does not.

The attack which can be performed against any device is carried out by intercepting and/or manipulating SSL transaction traffic, and allows attackers to replay or tamper with transaction data: change the amount or currency being paid, or change the delivery details for the goods being ordered. This can be done without any sophisticated equipment or skills says the researcher.

In the other attack, hackers will need to first infect a jailbroken device with malware. Having done so, they are then able to intercept traffic as it is transferred to the Apple server, in this case payment data being added to the device's account.

Timur Yunusov, head of banking security for Positive Technologies explains, “ApplePay's security measures mean that it has a separate microprocessor for payments [Secure Enclave], card data is not stored on the device nor is it transmitted in plaintext during payments. On paper this appears to be the perfect defence.

Yunusov added, “During testing, I have discovered at least two methods that render these precautions worthless. While one relies on the device being jailbroken, which is estimated at 20 percent* and is a practice that the security community opposes, another is against a device that is ‘intact.' Attackers can either register stolen card details to their own iPhone account, or they can intercept the SSL traffic between the device and the Apple Server to make fraudulent payments directly from the victim's phone.”

“The advice, as always, is to avoid jailbreaking a device in the first instance,” said Yunusov who added, “Another precaution is for users to avoid downloading unnecessary applications which will help prevent malware from being added to the device.”

In tandem, the company says users must be vigilant when using ApplePay to purchase items online, particularly monitoring for the use of ‘https' or fraudulent websites, and to avoid doing so when using public wifi when traffic is most vulnerable.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews