
Veritasium
I hacked MKBHD's locked phone
Summarised with Bite · 8 min read
A cybersecurity team demonstrates a five-year-old exploit that drains $10,000 from MKBHD's locked iPhone using only a card reader and laptop—no password, no Face ID, nothing. Despite being publicly disclosed in 2021, the loophole remains unfixed because Apple blames Visa, Visa calls it statistically insignificant, and neither has implemented the technical changes to close it.
0:00 – 4:08
The $10,000 Magic Trick Nobody Should Be Able to Pull Off
Marques Brownlee places his locked iPhone face-down on what looks like an ordinary payment terminal. No password. No Face ID. No thumbprint. The host enters $10,000, taps the phone against the reader, and—ding—the transaction goes through. "Approved," reads the screen. Marques checks his phone: a new $10,000 charge, timestamped seconds ago. "I don't like that at all," he mutters, visibly rattled. This isn't a David Copperfield illusion. It's a man-in-the-middle attack developed by University of Surrey professors Ioana Boureanu and Tom Chothia, first made public in 2021. The exploit chains together three lies: one to bypass the lock screen, one to fool the phone into treating $10,000 as a "low-value" subway fare, and one to convince the card reader that the user verified the payment. The kicker? Five years later, the loophole still exists—because fixing it requires Apple and Visa to stop pointing fingers at each other.
4 more sections in the app
- 4:08 – 9:23How Express Transit Mode Became a Backdoor
- 9:23 – 18:19Three Lies, Three Layers of Defense Shattered
- 18:19 – 22:23Why Only iPhones + Visa Cards Fall for This
- 22:23 – 25:33Apple and Visa Play Hot Potato While Your Money's at Risk




