Security researchers pick Google Wallet with brute-force attack

Google's mobile payment technology may remain vulnerable unless banks take some responsibility for protecting users

Google Wallet users might want to stick to plastic and paper for a while. IT security researchers at Zvelo have discovered that PIN protection behind Google Wallet can be cracked via a brute-force attack in a matter of seconds. Google has been made aware of the problem, but there's no easy fix. In fact, part of securing Google Wallet would require banks taking some responsibility for protecting users, and they may not be amenable to doing so.

In a nutshell, Zvelo developed a program capable of brute-force cracking Google Wallet PINs, which are just four digits in length. Those four digits are all that's needed for a user to employ his or her smartphone as a wallet.

According to Zvelo senior engineer Joshua Rubin, coming up with the program was fairly simple. "Knowing that the PIN can only be a 4-digit numeric value, it dawned on us that a brute-force attack would only require calculating, at most, 10,000 SHA256 hashes. This is trivial even on a platform as limited as a smartphone. Proving this hypothesis took little time," he wrote.

The silver linings for the time being are that, first, Google Wallet is not yet widely available on Android phones, just the Nexus S and Galaxy Nexus. Second, the attack can be pulled off remotely against only a rooted phone, though a knowledgeable thief with physical access to the device could gain access to the PIN.

Why is Google Wallet so seemingly insecure? Part of the problem: Google Wallet doesn't require a longer, more complicated password. According to Zvelo, requiring users to key in a complex password each time they wanted to make a purchase would deter them from using Google Wallet.

The next problem is Google Wallet's use of what's called a Secure Element (SE) for storing and encrypting sensitive information such as credit card numbers. Researchers found it fairly easy to examine the data stored on the SE, which included Unique User IDs (UUID), Google account information, Cloud to Device Messaging account information, Google Wallet Setup status, Card Production Lifecycle (CPLC) data, and PIN information. "The linchpin, however, was that within the PIN information section was a long integer 'salt' and a SHA256 hex encoded string 'hash,'" Rubin wrote.

The brute-force program developed by the team exploits the presence of that hash and salt to flawlessly crack the Google Wallet PIN.

The solution, per Zvelo, is straightforward in theory: PIN verification needs to move into the SE, and the PIN hash and salt should not be stored outside the SE.

Updating the code so that verification runs inside the SE requires getting approval from SE manufacturers, which is not a significant hurdle, according to Zvelo. The bigger challenge is that moving PIN verification into the SE might shift responsibility for the PIN's security from Google to the banks. "If this is in fact the case, then the banks may need to follow their own policies and regulations regarding ATM PIN security which obviously, and rightly, receive a great deal of scrutiny," Rubin wrote.

The banks "may actually choose to accept the risk imposed by this vulnerability rather than incur the financial and administrative overhead of allowing Google to release a proper fix (and thereby potentially put the banks on the hook for the PIN security)," Rubin continued. "Zvelo feels that this would be a grave mistake and would expose users to undue risk."

Zvelo offered five suggestions for Google Wallet users to mitigate the vulnerability:

1. Do not root your phone. Doing so will be one less step for a thief.

2. Enable lock screens. Face Unlock, Pattern, PIN, and Password all increase physical security to the device. Slide, however, does not.

3. Disable USB debugging. When enabled, the data on mobile devices can be accessed without first passing a lock screen challenge unless Full Disk Encryption is also enabled.

4. Enable full-disk encryption. This will prevent even USB Debugging from bypassing the lock screen.

5. Keep your device up-to-date. Ensure the device is current with the latest official software. Unfortunately, users are largely at the behest of their carrier and cellphone manufacturer for this. Using only official software and keeping devices up-to-date is the best way to minimize vulnerabilities and increase security overall.

This article, "Security researchers pick Google Wallet with brute-force attack," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow on Twitter.