Google Wallet PIN Exposure Vulnerability Demonstrated

viaForensics recently came out with a report about the security of Google Wallet. In it, they concluded that due to the unencrypted personal information and payment history, users might be subject to social engineering attacks, reports Joshua Rubin.In short, the hack allows access to credit card data and purchase history on a rooted Android phone […]

Google Wallet Security: PIN Exposure VulnerabilityviaForensics recently came out with a report about the security of Google Wallet. In it, they concluded that due to the unencrypted personal information and payment history, users might be subject to social engineering attacks, reports Joshua Rubin.

In short, the hack allows access to credit card data and purchase history on a rooted Android phone and could, in theory, allow a hacker to use a Google Wallet freely in the wild. However, it does require the hacker to have unfettered root access to the phone. Using a small program, the exploit simply brute-forces a file found in the phone, thereby revealing the PIN and unlocking the wallet.

There are some steps that Google Wallet users can take today to help mitigate the risk of this vulnerability, according to Rubin:

Google Wallet Security: Demo of PIN Exposure Vulnerability

  1. Do Not "Root" the Cell Phone - Doing so will be one less step for a thief.
  2. Enable Lock Screens - "Face Unlock," "Pattern," "PIN" and "Password" all increase physical security to the device. "Slide," however, does not.
  3. Disable USB Debugging - When enabled, the data on mobile devices can be accessed without first passing a lock screen challenge unless Full Disk Encryption is also enabled.
  4. Enable Full Disk Encryption - This will prevent even USB Debugging from bypassing the lock screen.
  5. Maintain Device Up-To-Date - Ensure the device is current with the latest official software. Unfortunately, users are largely at the behest of their carrier and cell phone manufacturer for this. Using only official software and keeping devices up-to-date is the best way to minimize vulnerabilities and increase security overall.

And, Google recommends anyone with Google Wallet call their toll-free support line at 855-492-5538 to ask that their prepaid card be disabled. They also recommend setting a PIN -- as well as the phone's lock screen. In the statement, Google said that they don't support Google Wallet on rooted phones:

"But sometimes users choose to disable important security mechanisms in order to gain system-level "root" access to their phone; we strongly discourage doing so if you plan to use Google Wallet because the product is not supported on rooted phones. That's why in most cases, rooting your phone will cause your Google Wallet data to be automatically wiped from the device," said Osama Bedier, VP, Google Wallet and Payments.

and that:

"The zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device. To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN. We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone."

Also, that they take concrete actions to help protect users. "For example, to address an issue that could have allowed unauthorized use of an existing prepaid card balance if someone recovered a lost phone without a screen lock, tonight we temporarily disabled provisioning of prepaid cards. We took this step as a precaution until we issue a permanent fix soon," Bedier added.

This video below demonstrates how the four-digit PIN of Google Wallet, a mobile phone payment system, was cracked and exposed via a Google Wallet Cracker proof of concept app developed by Rubin: