Joshua Rubin, a security researcher at zvelo, have discovered that Google Wallet PIN can be cracked easily by brute forcing on a device that is "rooted".
Google Wallet is the first publicly available Near Field Communication (NFC) Payment System that purports to turn to your smartphone into a credit card, allows to purchase by entering a PIN .
In order to facilitate secure transactions, NFC use hardware component called Secure Element(SE) which is used to store your confidential data such as the complete credit card number.
In order to authenticate users and grant access to the SE, Google Wallet requires a 4-digit, numeric PIN when first launching the app. Unfortunately, the PIN is not stored on the SE , but instead it is stored as a salted SHA256 Hash on the device itself.
"Knowing that the PIN can only be a 4-digit numeric value, it dawned on us that a brute-force attack would only require calculating, at most, 10,000 SHA256 hashes."Joshua Rubin said ." This is trivial even on a platform as limited as a smartphone. Proving this hypothesis took little time."
Google Wallet only allows five invalid PIN entry attempts before locking the user out,but with root access you can bruteforce the PIN without a single invalid attempt.
Rubin concludes that the only way to solve this issue would be to move the PIN verification into the SE itself and to no longer store the PIN hash and salt outside the SE.
Google has issued this statement on the matter:
This confirms that there should be no issue unless your phone has already been rooted. If you have rooted your smartphone, Google strongly encourage you to not install Google Wallet and to always set up a screen lock as an additional layer of security for their phone.(like activating the lock screen, disabling the USB debugging option in settings, and enabling full-disk encryption).
Google Wallet is the first publicly available Near Field Communication (NFC) Payment System that purports to turn to your smartphone into a credit card, allows to purchase by entering a PIN .
In order to facilitate secure transactions, NFC use hardware component called Secure Element(SE) which is used to store your confidential data such as the complete credit card number.
In order to authenticate users and grant access to the SE, Google Wallet requires a 4-digit, numeric PIN when first launching the app. Unfortunately, the PIN is not stored on the SE , but instead it is stored as a salted SHA256 Hash on the device itself.
Google Wallet only allows five invalid PIN entry attempts before locking the user out,but with root access you can bruteforce the PIN without a single invalid attempt.
Rubin concludes that the only way to solve this issue would be to move the PIN verification into the SE itself and to no longer store the PIN hash and salt outside the SE.
Google has issued this statement on the matter:
The Zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device. To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN.
This confirms that there should be no issue unless your phone has already been rooted. If you have rooted your smartphone, Google strongly encourage you to not install Google Wallet and to always set up a screen lock as an additional layer of security for their phone.(like activating the lock screen, disabling the USB debugging option in settings, and enabling full-disk encryption).
