Veritasium Just Exposed a Serious Apple Pay Vulnerability That Lets Thieves Drain Locked iPhones

A new video from Derek Muller (Veritasium) has gone viral for all the wrong reasons. In it, Marques Brownlee (MKBHD) stands with his iPhone completely locked — no Face ID, no passcode entered — while an attacker uses a custom device to steal $10,000 through Apple Pay in a matter of seconds.

The vulnerability has existed since at least 2021.

How the Attack Works

The exploit is a sophisticated relay attack (also known as a man-in-the-middle attack on NFC):

The attacker places a custom relay device between the victim’s iPhone and a real payment terminal (or a fake one).
The device intercepts and forwards NFC communication in real time.
Because of design choices made for compatibility and convenience, the iPhone approves the transaction without ever being unlocked.

Key factors that make this possible:

Unencrypted communication between the phone and terminal (needed for global compatibility with millions of older terminals).
iOS feature that allows Apple Pay transactions without unlocking the device — originally introduced for fast transit payments (subway, bus, etc.).
Flawed terminal logic — many payment terminals (especially transit ones) only ask the card “Is this a small amount?” instead of verifying the exact sum.
iOS trusts the terminal’s estimate — unlike Samsung phones, which independently verify the requested amount and block suspicious transactions.
Visa-specific weakness in how some transit systems handle authorization (the attack reportedly doesn’t work the same way with Mastercard).

All these pieces must align for the attack to succeed, but as the video dramatically shows, it’s entirely realistic in targeted scenarios.

The Blame Game

Veritasium Just Exposed a Serious Apple Pay Vulnerability That Lets Thieves Drain Locked iPhones Both Apple and Visa have known about variants of this issue for years.

Apple reportedly told researchers it’s a Visa problem.
Visa’s position is that it’s cheaper and simpler to handle chargebacks and refunds than to overhaul its payment architecture and encryption standards across millions of terminals worldwide.

In other words: nobody wants to fix the root cause because it’s expensive and inconvenient.

Why This Matters

Veritasium Just Exposed a Serious Apple Pay Vulnerability That Lets Thieves Drain Locked iPhones This isn’t just a theoretical research vulnerability. The Veritasium video proves it works in practice against a real locked iPhone in 2025/2026. Anyone carrying their primary payment method in their pocket could be at risk in crowded places — subways, events, streets — especially if an attacker has a targeted setup.

Apple has made some improvements over the years (Express Transit mode can be toggled, Express Cards have limits, etc.), but the core architectural issues remain.

What You Can Do Right Now

Turn off Express Transit mode when not needed.
Use a strong passcode and enable Stolen Device Protection.
Consider adding a secondary card with low limits for daily use.
For high-value protection, some users are switching certain payments to cards or phones with stronger amount verification (Samsung, newer Google Pixel in some regions).

The Veritasium video is a masterclass in security research communication — clear, dramatic, and deeply concerning. It shows once again that in the world of contactless payments, convenience and security are still in tension, and sometimes convenience wins.

Watch the full video here: Veritasium — The $10,000 Apple Pay Hack

Your locked iPhone may not be as safe as you think.