Google Wallet PIN vulnerable on rooted Android devices

Jos

Posts: 3,073   +97
Staff

Security researchers over at zvelo have discovered a vulnerability in Google Wallet that could expose users' PIN codes to a brute-force attack. The flaw only affects users who have rooted their Android smartphone, so most people won't need to worry about the issue for now, but the finding will nonetheless hurt customer confidence in Google's new mobile payment system before it even takes off the ground.

The issue apparently stems from the fact that Google Wallet stores a hash of the PIN on the device itself instead of in the NFC secure element. Users with rooted phones are able to access the file where their PIN is stored, and even though this information is encrypted, it takes a simple brute-force attack involving a maximum of 10,000 calculations to decode its four digits. In the video demonstration below, zvelo researchers were able to retrieve the PIN in less than five seconds using a proof-of-concept Wallet Cracker app.

Google confirmed the PIN vulnerability and is working on a fix. However, it may take a while before an update is out, since moving the PIN verification into the secure element will require code to be digitally signed by each manufacturer supporting Wallet in order to run. The Internet giant will also need to coordinate with banks since changing the way the PIN is stored could also change which agency is responsible for its security.

In the meantime users can take some steps to help mitigate the risk of this vulnerability, such as refraining from rooting their phones, enabling the lock screen and Full Disk Encryption, disabling USB debugging and keeping their handsets up-to-date. You can read more about the vulnerability and how NFC authentication works here.

Permalink to story.

 
I'm not really surprised. Android is not exactly the most secure OS, and probably never will until Google gets serious about user experience.

Fortunately, this only affects the most tech savvy, those who put up with the potential risk of bricking their phone by changing their ROM in the first place; hopefully, possibly having their credit card info stolen is another risk they might be willing to take. But then again, without having hard evidence, I'd be inclined to say that the tech savvy users are about 60% of the Android user base. So, not so fortunate.
 
I wonder if at&t, Verizon, and T-Mobile were funding zvelo. Seeing as how Verizon blocked Google Wallet on the Galaxy Nexus because of the competing payment system Isis.
 
That is completely retarded... why would they store even the hash of a 4 digit pin on the phone? Having such a small passcode, it should never be stored.

Another reason why open source is a good idea... so security practices at least get some sanity checking by peers.
 
Dark Shiv I dont think they're storing the hash, given the article said its being cracked via brute force which is possible due to it being a 4 digit PIN with a small amount of possible combinations. A simple feature like 3-try-lockout would prevent this. What spikes my curiosity is does that phone have the power to crack the password that fast, or is it being done remotely /w a service like Amazon cloud where they're using powerful servers they pay a small price for to do the heavy work. I'd expect a quad core CPU to be that fast but idk what chip that phone has in it.
 
Dark Shiv I dont think they're storing the hash, given the article said its being cracked via brute force

The article also said "The issue apparently stems from the fact that Google Wallet stores a hash of the PIN on the device itself".

The brute force is against the hash.
 
Back