Mühendislik · 6 dk okuma · 18 Nisan 2026
A Known NFC Flaw Drained $10,000 From a Locked iPhone — Unfixed for 5 Years
Researchers demonstrated live that Apple's Express Transit mode lets attackers charge any amount to a locked, screen-off iPhone using basic NFC hardware.
A five-year-old NFC relay attack lets anyone charge unlimited amounts to a locked iPhone via Apple's Express Transit feature, with neither Apple nor Visa having shipped a fix.
- — Researchers used a Proxmark reader, laptop, and Android phone to relay $10,000 from a locked iPhone.
- — No passcode, Face ID, or screen interaction was required during the transaction.
- — The vulnerability was first disclosed in 2021 and presented at IEEE Security & Privacy in 2022.
- — Express Transit skips amount verification to achieve sub-second transit gate response times.
- — Attackers spoof 'magic bytes' that identify a transit terminal, tricking the Secure Element.
- — The flaw affects only Visa cards; Mastercard, Amex, and Discover are not vulnerable.
- — Apple blames Visa; Visa calls the attack unlikely and cites zero-liability refund policy.
- — No confirmed real-world exploitation exists, but the attack requires sustained physical proximity.
Sık sorulanlar
- The attack uses a relay chain: an NFC reader placed near the victim's iPhone intercepts the Express Transit handshake, spoofs the identifier bytes that tell the phone it is communicating with a transit gate, and forwards the session to an Android device acting as a card emulator at a real payment terminal. Because Express Transit skips amount verification to achieve fast gate response times, the Secure Element authorizes whatever amount the attacker's terminal requests — in the demonstrated case, $10,000 — without any screen interaction or biometric prompt from the phone's owner.