Updated Friday, 9 a.m. Eastern
A security researcher has found a serious flaw in Google Wallet's PIN protection that, in seconds, could enable an attacker to view everything in the owner's digital wallet, including credit card numbers and transaction history.
Later on Thursday, another Google Wallet flaw came to light. A posting and video at The Smartphone Champ blog showed how to access the Google Prepaid Card balance on a secondhand or stolen phone.
Explained in a blog post and a video called "Google Wallet Cracker" by Joshua Rubin from the Web security firm Zvelo, the first glitch, which requires a "rooted" phone, concerns the four-digit PIN Google Wallet requires its account holders to enter in order to access and edit their information.
Google Wallet, which gives smartphones the ability, through near-field communication (NFC), to use their phones to pay for purchases in stores, sends encrypted data between the phone and the point-of-sale terminal.
To ensure the security of these mobile transactions, NFC requires the use of a Secure Element (SE), a device similar to a smart card, which stores the encrypted data, sent each time the smartphone interacts with a payment terminal.
That includes "the most sensitive data such as the complete credit card number," Rubin wrote. SE access is "highly regulated, and it is designed to resist tampering, possibly even engaging in a self-destruct mechanism to protect its data," said Rubin. "This is the core security layer of NFC payment systems."
[What's Wrong With Google Wallet?]
However, in order for customers to access their own SE, they must enter a four-digit PIN. It's here where the problem lies; Google Wallet, currently available in the United States only on the Sprint Nexus S phone, stores a hash of the PIN, a hash Rubin and his colleagues were able to easily decipher using an app they created. (Verizon Wireless is not installing the Google Wallet app on its version of the Nexus S.)
"Knowing that the PIN can only be a 4-digit numeric value, it dawned on us that a brute-force attack would require calculating, at most, 10,000" hashes, Rubin wrote. "This is trivial even on a platform as limited as a smartphone. Proving this hypothesis took little time."
As a preventive measure, Google Wallet only allows for five invalid PIN entries before locking users out; Rubin's app cracked the password without even a single failed attempt.
"This completely negates all of the security of this mobile phone payment system," he said.
Exploiting this vulnerability is only possible, for now, on Android phones that have been rooted, meaning the owner has modified the operating system and has full access to the filesystem. In most cases, successfully cracking the PIN would require the attacker to have physical access to a target's phone.
But, as Sophos' Chester Wisniewski pointed out in a blog posting "Android phones are trivial to root."
In an email to SecurityNewsDaily, a Google spokesperson said, "The Zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device. To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN."
What Rubin found particuarly worrisome is that Google effectively has its hands tied when it comes to fixing the problem.
As Bill Ray from The Register explained, "The obvious way to fix this is to move all the data into the secure element on the phone. The secure element is essential to NFC transactions, but falls under the legal responsbility of the payment processor — so moving the PIN into there would change the already complex legal architecture."
Rubin said he disclosed the vulnerability to Google, which was "extremely reponsive" to the issue, but, because of the tricky relationship between the customer, Google and the payment processors, it has not released a fixed version of Google Wallet yet.
In the meantime, Google urges Google Wallet customers to set up a screen lock on their phones and to not install Google Wallet on rooted devices. It's also important to enable full disk encryption on your device and keep it up-to-date with the latest software.
The second exploit of Google Wallet is more limited but requires no rooting or technical skills.
The security bypass, which may have first been mentioned in December in a developers' discussion forum, is simple: Go into "Application Settings," select "Google Wallet" and select "Clear Data." That will wipe all user settings, including credit cards tied to the account.
Then go back to Applications, open Google Wallet and go through the setup process. It'll ask you to input a new PIN, then to select a credit card and/or Google Prepaid Card. If you add the latter, you'll find that the Google Prepaid Card balance from the old Google wallet account is added to the new account.
"The problem here is that since Google Wallet is tied to the device itself and not tied to your Google account," wrote Hashim from The Smartphone Champ, "once they set the new PIN and log into the app, when they add the Google prepaid card it will add the card that is tied to that device."
A casual thief who wanted to exploit this flaw would have to get through a passcode screen lock to get to the phone's home screen, but not everyone enables a screen lock. Smarter thieves have ways of getting around screen locks, and buyers of secondhand phones might find a little surprise waiting for them when they set up Google Wallet.
SecurityNewsDaily has not heard back yet from Google regarding the issue. But in a statement to the tech blog The Verge, Google admitted the flaw existed, and that it had also set up a toll-free number for owners of lost or stolen phones.
"We strongly encourage anyone who loses or wants to sell or give away their phone to call Google Wallet support toll-free at 855-492-5538 to disable the prepaid card," the statement read. "We are currently working on an automated fix as well that will be available soon. We also advise all Wallet users to set up a screen lock as an additional layer of protection for their phone."