A decade ago, a group of Johns Hopkins University grad students tried to hack one of the first commercially popular Near Field Communication payment systems – the kind of technology at the heart of Apple’s new mobile payment system. It took a few thousand dollars in gear and a few months of work. But the system, ExxonMobil's Speedpass, was entirely hackable.
The key was reverse engineering the computer chip that broadcast the payment information for Speedpass, which allows users to buy gas by placing a key fob near sensors mounted on gas pumps. With hacking gear loaded into the back seat of an SUV, the students were able to spoof the Speedpass key fob, pull up to a local ExxonMobil station, then drive away a few minutes later with some gas. No actual key fob necessary. They also figured out a way to steal information from this and similar devices just by placing antennas a few feet away and picking up the radio signals.
“We could then just go out and buy things in your name,” recalled Matthew Green, now a research professor at Johns Hopkins’ who specializes in cryptography. “It was a fun project.”
That may sound like a cautionary tale about the security of Apple Pay, which the company announced to fanfare on Tuesday as an efficient, secure new way to pay for a wide range of goods. But in fact, experts are excited about Apple Pay, arguing that it may herald a new era in transaction security and help end the rash of data breaches that have hit major retailers in recent years.
For starters, there are crucial differences between a Speedpass key fob and the iPhone that will be at the heart of Apple Pay. A key fob is dumb; it can transmit information but can’t do much else. An iPhone is smart; it can transmit information but also ask its user questions, such as: Do you really want to buy $75 worth of gas? To complete the transaction, the owner of the iPhone will have to confirm payment by placing a finger on the iPhone’s fingerprint reader, which comes standard on the iPhone 5S, as well the new iPhone 6 and iPhone 6 Plus.
This two-step process, experts say, could mark a major step forward in security of billions of dollars of transactions every day, particularly in the United States where antiquated credit card technology – long replaced in much of the world – is still the norm. Nearly all U.S. credit and debit cards carry enough information on their magnetic strips to authorize thousands of dollars in fraudulent purchases, and that information gets routinely transmitted with each transaction. This offers criminals mass hacking opportunities, as Target, Neiman Marcus, Home Depot and their customers have learned to their great dismay.
But more secure – even much more secure – is not the same as totally secure. Again, Apple offers a useful example. Security experts say iPhones are, in general, more secure than Android phones from viruses, hacks and government surveillance. But that superior security didn’t stop some sleazy, tenacious criminals from finding a way to steal intimate pictures from dozens of Hollywood celebrities and post them online.
The weak point in Apple’s photo security, several experts have concluded, was not the iPhones used for taking many of the pictures; instead it was Apple’s iCloud service, which is both newer and, by many accounts, less secure than the iPhone itself. (Apple denies that any of its systems were breached.)
So what is the weak point in Apple Pay? Again, the iPhone itself has a strong set of security systems. The same may not be true of your thumb. People leave fingerprints everywhere, especially on the glass surfaces of their smartphones. Could somebody steal your thumb print and verify a purchase on Apple Pay without the actual iPhone’s owner knowing?
The idea is not a new one.
A year ago, in the days before Apple announced its iPhone 5S, the first to come with a fingerprint reader, a group of security experts anticipating the new feature held an informal competition to crack it. Through a Web site, www.istouchidhackedyet.com, they solicited thousands of dollars of pledges – including significant numbers of Bitcoins and at least one bottle of whiskey – to whoever could defeat the new fingerprint reader.
About two weeks later, a man calling himself “Starburg” from Germany’s famous hacker consortium, the Chaos Computer Club, submitted a short video that looks like something out of Mission Impossible. It starts with a scanner getting a digital image of a fingerprint left on the glass of an iPhone. Starbug then, in a several-step process, makes a metal plate containing the image and uses a bit of wood glue to turn the print into a dry but flexible blob capable of tricking the iPhone’s fingerprint reader. (Watch the 3:34 minute demonstration here.)
But there’s another security element at play too. Green and his fellow grad students had to decode the cryptography used in the Speedpass in order to spoof the key fob and buy gas at ExxonMobil. That was relatively easy back in the days when commercial cryptography often relied on easily cracked codes, at just 40 bits long. The standard now is 128 bits and sometimes more – making the hacker’s job harder. (Speedpass has upped its game as well, now requiring users in many areas to verify purchases by entering their Zip codes.)
So, in theory anyway, a person capable of getting close to your iPhone could potentially spoof the radio signal and crack the cryptography. Or if you are not careful about keeping your passcode private, that same person could take your iPhone, enter the passcode and initiate a transaction that way. In either scenario, a dummy fingerprint could then verify the transaction.
Possible? Yes. Plausible? We’ll see.
Either way, it's unlikely to be done on a mass scale, as today's credit card hacks are.
“It’s likely this Apple Pay thing isn’t bullet proof,” said Christopher Soghoian, a security expert and principal technologist for the ACLU. “But it’s still a million times better than what we have now.”