Hackers Claim They Can Pwn Apple Pay Via WiFi

This week in Las Vegas is the Black Hat conference. This of course is the conference where hackers of all descriptions will show up to show off security related research and show how to pwn everything. Case in point is research by Positive Technologies that The Register is reporting on where they have two attack vectors for Apple Pay. The first one requires malware to be injected into a jailbroken device. Thus illustrating why you should never jailbreak a device. But the second attack vector does not require a jailbroken device and utilizes WiFi:

The first step in the second attack is for hackers to steal the payment token from a [targeted] victim’s phone. To do that, they will use public Wi‑Fi, or offer their own ‘fake’ Wi‑Fi hotspot, and request users create a profile. From this point they can steal the ApplePay cryptogram [the key to encrypting the data].

Apple states that the cryptogram should only be used once. However, merchants and payment gateways are often set up to allow cryptograms to be used more than once.

As the delivery information is sent in cleartext, without checking its integrity, hackers can use an intercepted cryptogram to make subsequent payments on the same website, with the victim charged for these transactions.

Take home message. Don’t use WiFi when you use Apple Pay. But even if you don’t use WiFi, you have to wonder how long it will be before hackers figure out how to pull off an attack like this over a cellular network. If that is in the works, they better hurry because the researchers informed Apple about these attack vectors. Which means that Apple is likely working on a fix. Though, there might be a problem with that:

Fixing the issue will require action from all points in the chain, including the banking merchants, payment gateways, and card issuers, the security firm claimed.

We’ll see if Apple gets that co-operation to close this attack vector.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: