Black Hat USA Security researchers say they have come up with two separate "attacks" against ApplePay, highlighting what they claim are weaknesses in the mobile payment method.
One of the attacks developed by the white hats, and presented at Black Hat USA yesterday, requires a jailbroken device to work, but the other assault does not.
In the first attack, say the researchers from Positive Technologies, hackers will initially need to infect a jailbroken device with malware. Having achieved this, they might then be able to intercept traffic en route to an Apple server, in this case payment data being added to the device's account. Once hackers have succeeded in pushing malware with root privileges, then it's game over (in most scenarios), claim the white hats.
The second attack can be performed against any device as hackers intercept and/or manipulate SSL transaction traffic without employing any sophisticated equipment or skills, they say. The attack involves replaying or tampering with transaction data: changing the amount or currency being paid, or changing the delivery details for the goods being ordered.
Timur Yunusov, head of banking security for Positive Technologies explained: "With wireless payments - PayPass, ApplePay, SamsungPay, etc, there is a perception that ApplePay is one of the most secure systems. ApplePay's security measures mean that it has a separate microprocessor for payments [Secure Enclave], card data is not stored on the device nor is it transmitted in plaintext during payments."
Although Apple's approach might seem sound, Positive Technologies claimed it had nevertheless uncovered two potential avenues of attack. While one relies on the device being jailbroken – a practice frowned upon by security experts that is carried out by an estimated one in five users – another attack can target an unmodified iPhone or iPad, as Positive Technologies explained to El Reg.
The first step in the second attack is for hackers to steal the payment token from a [targeted] victim's phone. To do that, they will use public Wi‑Fi, or offer their own 'fake' Wi‑Fi hotspot, and request users create a profile. From this point they can steal the ApplePay cryptogram [the key to encrypting the data].
Apple states that the cryptogram should only be used once. However, merchants and payment gateways are often set up to allow cryptograms to be used more than once.
As the delivery information is sent in cleartext, without checking its integrity, hackers can use an intercepted cryptogram to make subsequent payments on the same website, with the victim charged for these transactions.
"Attackers can either register stolen card details to their own iPhone account, or they can intercept the SSL traffic between the device and the Apple Server to make fraudulent payments directly from the victim's phone," according to Yunusov.
There are some limitations to the attack from the point of view of would-be cybercrooks. For one thing, the victim will get an advisory detailing the transaction as soon as it is made so they may block their card – although they could just dismiss the warning as an error. There is also the risk that the bank/merchant/payment gateway could identify and block suspicious transactions.
Positive Technology advises users to be vigilant when using ApplePay to purchase items online, particularly monitoring for the use of "https" or fraudulent websites, and to avoid making transactions in public Wi‑Fi environments where traffic might be easily snooped.
Positive Technology's Yunusov presented his research at Black Hat USA yesterday. The security firm confirmed it had informed Apple of its research beforehand.
Fixing the issue will require action from all points in the chain, including the banking merchants, payment gateways, and card issuers, the security firm claimed. ®