Hacking

BlackHat 2017 – Positive Technologies researcher claims ApplePay vulnerable to two distinct attacks

BlackHat 2017 – Security expert at Positive Technologies claims ApplePay vulnerable to two distinct attacks.

At the Black Hat USA hacking conference,  security researchers from Positive Technologies announced to have devised two distinct attacks against ApplePay exploiting weaknesses in the mobile payment method.

ApplePay is considered today one of the most secure payment systems, but Positive Technologies claimed it had discovered two potential attack vectors.

“With wireless payments – PayPass, ApplePay, SamsungPay, etc, there is a perception that ApplePay is one of the most secure systems. ApplePay’s security measures mean that it has a separate microprocessor for payments [Secure Enclave], card data is not stored on the device nor is it transmitted in plaintext during payments.” said Timur Yunusov, head of banking security for Positive Technologies.

“During testing, I have discovered at least two methods that render these precautions worthless. While one relies on the device being jailbroken, which is estimated at 20 percent* and is a practice that the security community opposes, another is against a device that is ‘intact.’ Attackers can either register stolen card details to their own iPhone account, or they can intercept the SSL traffic between the device and the Apple Server to make fraudulent payments directly from the victim’s phone.”

A first attack presented in a talk by Yunusov requires a jailbroken device to work, this means that attackers have to infect a jailbroken device with malware. Once infected the mobile, the attackers can intercept the payment data to an Apple server. Once hackers have successfully infected the device with malware having root privileges, they have reached their goal.

The second attack doesn’t request a jailbroken because hackers intercept and/or manipulate SSL transaction traffic. The attackers tamper with transaction data, for example by changing the amount or currency being paid or the delivery details for the goods being ordered.

Attackers can register stolen card details to their own iPhone account to make payments on behalf of the victims, they can intercept the SSL traffic between the device and the Apple Server to make fraudulent payments.

“The first step in the second attack is for hackers to steal the payment token from a [targeted] victim’s phone. To do that, they will use public Wi‑Fi, or offer their own ‘fake’ Wi‑Fi hotspot, and request users create a profile. From this point they can steal the ApplePay cryptogram [the key to encrypting the data].Apple states that the cryptogram should only be used once. However, merchants and payment gateways are often set up to allow cryptograms to be used more than once.” Positive Technologies explained to El Reg.

“As the delivery information is sent in cleartext, without checking its integrity, hackers can use an intercepted cryptogram to make subsequent payments on the same website, with the victim charged for these transactions.”

The experts highlighted that there are some limitations to the attack, for example, the victim will receive a notification about the transaction as soon as it is made, this means that they can immediately block their card.

Researchers recommend to avoid using ApplePay to purchase items online on websites that don’t use the “https” and to avoid making transactions in public Wi‑Fi networks where the attackers can easily eavesdrop the traffic.

“The advice, as always, is to avoid jailbreaking a device in the first instance,” said Yunusov who added, “Another precaution is for users to avoid downloading unnecessary applications which will help prevent malware from being added to the device.”

Positive Technology already reported its findings to Apple, but it warns that the development of patches will be no simple due to the significant impact on any components of the security chain.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  (ApplePay hacking, Black Hat 2017)

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

45 mins ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

12 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

16 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

22 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

This website uses cookies.