Apple's Express Transit Mode Exploited To Steal $10,000 From a Locked iPhone, Video Demonstrates

Hyderabad: Apple is known to provide high levels of security and privacy to its users. It offers end-to-end encryption (for iMessage, FaceTime), Secure Enclave technology, and strict App Store vetting processes. The Cupertino-based tech giant also distinguishes itself from competitors by focusing on on-device processing rather than storing user data in the cloud, and argues for keeping user privacy-first. However, a video published by the popular science channel, Veritasium, has demonstrated how a known vulnerability in Apple's Express Transit Mode can be exploited to silently transfer funds from a locked iPhone.

In the video, the presenter, Henry van Dyck, successfully stole $10,000 from fellow famous tech YouTuber Marques Brownlee's iPhone 17 Pro, without unlocking or physically accessing the device.

The vulnerability, first reportedly discovered in 2021, was demonstrated in collaboration with cybersecurity experts and university professors Ioana Boureanu and Tom Chothia. The exploit leverages a technique known as a "Man in the Middle" attack, using a third-party hardware to intercept and manipulate Near Field Communication (NFC) data exchanged during contactless payment transactions.

How do cyberattackers exploit this vulnerability?

The attack begins by placing a target iPhone onto a device called a Proxmark, which is a commercially available third-party NFC reader connected to a laptop. According to the video, when the iPhone is placed onto the NFC reader, the phone exchanges transaction data with the Proxmark, which transfers the information to the laptop.

A Python script is then used to modify the transaction data, which is forwarded to a second device. The video showcases when the second device is tapped on a point-of-sale (PoS) terminal, both the iPhone and the terminal are deceived into believing they are communicating directly with one another, resulting in a successful payment.

The attack is made possible by Apple's Express Transit Mode, a feature designed to allow users to pay at transit terminals such as city buses and subway stations without unlocking their iPhone or authenticating via Face ID or Touch ID.

Manipulating Binary Flags to Bypass Authentication

The cybersecurity professors, Boureanu and Chothia, explained that when an iPhone communicates with a transit terminal, it exchanges authentication codes in binary. One critical binary value, which should be set to "1" for proper offline data authentication, is typically returned as "0" by standard PoS devices. An attacker can intercept and modify this value to fool the iPhone into accepting the terminal as legitimate.

Similarly, the transaction value itself can be manipulated using the same method, tricking the iPhone into treating a high-value payment as a low-value one — thereby bypassing the biometric authentication threshold. A separate modification to the binary flags simultaneously deceives the PoS device into believing biometric approval has already been granted.

Boureanu and Chothia stressed that the exploit carries no inherent financial ceiling, stating that the only limit is the balance held in the victim's bank account. Notably, the vulnerability is specific to Visa transit cards, owing to the verification protocols used by the payment network.

Apple and Visa’s Response

Van Dyck noted that Apple deliberately leaves certain transit communication flags referred to as "magic bytes" and EMV flags unencrypted, due to the need for compatibility across a wide range of readers and locations. When the Veritasium team approached Apple for comment, teh tech giant directed the responsibility towards Visa, stating the issue lies within Visa's system. On the other hand, Visa stated that it does not believe the fraud is replicable in real-world conditions, adding that customers are protected under its zero-liability policy.

However, these responses make it unclear whether the demonstrated vulnerability would be resolved and safeguard the public from exploitation.