Security researchers over at zvelo have discovered a vulnerability in Google Wallet that could expose users' PIN codes to a brute-force attack. The flaw only affects users who have rooted their Android smartphone, so most people won't need to worry about the issue for now, but the finding will nonetheless hurt customer confidence in Google's new mobile payment system before it even takes off the ground.
The issue apparently stems from the fact that Google Wallet stores a hash of the PIN on the device itself instead of in the NFC secure element. Users with rooted phones are able to access the file where their PIN is stored, and even though this information is encrypted, it takes a simple brute-force attack involving a maximum of 10,000 calculations to decode its four digits. In the video demonstration below, zvelo researchers were able to retrieve the PIN in less than five seconds using a proof-of-concept Wallet Cracker app.
Google confirmed the PIN vulnerability and is working on a fix. However, it may take a while before an update is out, since moving the PIN verification into the secure element will require code to be digitally signed by each manufacturer supporting Wallet in order to run. The Internet giant will also need to coordinate with banks since changing the way the PIN is stored could also change which agency is responsible for its security.
In the meantime users can take some steps to help mitigate the risk of this vulnerability, such as refraining from rooting their phones, enabling the lock screen and Full Disk Encryption, disabling USB debugging and keeping their handsets up-to-date. You can read more about the vulnerability and how NFC authentication works here.