Positive Technologies BlackHat Session Demonstrates ApplePay Vulnerable to Two Attacks - At Least

One does not require the device to be ‘jailbroken’

Mandalay Bay, Las Vegas and London, UK – July 27, 2017: In a session at Blackhat USA 2017, a senior researcher for Positive Technologies will demonstrate two separate attacks that can be performed against ApplePay, highlighting weaknesses in the payment method. While one will require a jailbroken device, the other does not.

In one attack, hackers will need to first infect a jailbroken device with malware. Having done so, they are then able to intercept traffic as it is transferred to the Apple server, in this case payment data being added to the device’s account.

The second attack can be performed against any device as hackers intercept and/or manipulate SSL transaction traffic without employing any sophisticated equipment or skills. Doing so allows them to replay or tamper with transaction data: change the amount or currency being paid, or change the delivery details for the goods being ordered.

Timur Yunusov, Head of Banking Security for Positive Technologies explains, “With wireless payments - PayPass, ApplePay, SamsungPay, etc., there is a perception that ApplePay is one of the most secure systems. ApplePay’s security measures mean that it has a separate microprocessor for payments [Secure Enclave], card data is not stored on the device nor is it transmitted in plaintext during payments. On paper this appears to be the perfect defence. However, the devil is in the detail! During testing, I have discovered at least two methods that render these precautions worthless. While one relies on the device being jailbroken, which is estimated at 20%* and is a practice that the security community opposes, another is against a device that is ‘intact.’Attackers can either register stolen card details to their own iPhone account, or they can intercept the SSL traffic between the device and the Apple Server to make fraudulent payments directly from the victim's phone.”

The advice, as always, is to avoid jailbreaking a device in the first instance. Another precaution is for users to avoid downloading unnecessary applications which will help prevent malware from being added to the device. In tandem, users must be vigilant when using ApplePay to purchase items online, particularly monitoring for the use of ‘https’ or fraudulent websites, and to avoid doing so when using public wifi when traffic is most vulnerable.

Timur will present his findings in the Jasmine Ballroom at BlackHat USA, Las Vegas, on Thursday, 27 July at 9am local time.

To find out more information about Positive Technologies, and its solutions, visit: www.ptsecurity.com.