Apple Tap-to-Pay Security Flaw Shown in Video: Locked iPhone Used in $10K Demo

A new security demonstration has raised concerns about Apple’s payment ecosystem after a YouTuber showcased a potential vulnerability affecting tap-to-pay functionality on iPhones. The issue reportedly allows a locked device to be manipulated in a way that simulates a legitimate payment interaction, without requiring the phone to be unlocked or directly authorized by the user.

Apple has long promoted its ecosystem as highly secure, particularly when it comes to features like NFC-based payments and Express Transit Mode. However, the demonstration suggests that under specific conditions, an attacker could potentially exploit a “man-in-the-middle” style setup to trick an iPhone into processing a payment as if it were interacting with a real point-of-sale terminal.

In the video, the creator—working alongside cybersecurity researchers—shows how specialized hardware can intercept and relay NFC signals. The setup reportedly uses a device connected to a computer to mimic a payment terminal, effectively convincing the iPhone that a legitimate transaction is taking place. The demonstration includes a test scenario involving a locked device, raising questions about how such interactions are validated.

The exploit, according to the video, is based on a concept that has been known in cybersecurity circles for several years, though it has now been presented in a more practical, real-world context. It highlights how NFC-based systems, while convenient, can still be vulnerable to relay attacks if security layers are bypassed or misinterpreted.

While there is no indication of widespread real-world abuse, the demonstration has sparked renewed discussion about mobile payment security and the importance of layered protections. It also underscores the ongoing challenge for companies like Apple to balance convenience features such as tap-to-pay with evolving security threats in mobile ecosystems.