Google Wallet users might want to stick to plastic and paper for a while. IT security researchers at Zvelo have discovered that PIN protection behind Google Wallet can be cracked via a brute-force attack in a matter of seconds. Google has been made aware of the problem, but there's no easy fix. In fact, part of securing Google Wallet would require banks taking some responsibility for protecting users, and they may not be amenable to doing so.
In a nutshell, Zvelo developed a program capable of brute-force cracking Google Wallet PINs, which are just four digits in length. Those four digits are all that's needed for a user to employ his or her smartphone as a wallet.
According to Zvelo senior engineer Joshua Rubin, coming up with the program was fairly simple. "Knowing that the PIN can only be a 4-digit numeric value, it dawned on us that a brute-force attack would only require calculating, at most, 10,000 SHA256 hashes. This is trivial even on a platform as limited as a smartphone. Proving this hypothesis took little time," he wrote.
The silver linings for the time being are that, first, Google Wallet is not yet widely available on Android phones, just the Nexus S and Galaxy Nexus. Second, the attack can be pulled off remotely against only a rooted phone, though a knowledgeable thief with physical access to the device could gain access to the PIN.
Why is Google Wallet so seemingly insecure? Part of the problem: Google Wallet doesn't require a longer, more complicated password. According to Zvelo, requiring users to key in a complex password each time they wanted to make a purchase would deter them from using Google Wallet.
The next problem is Google Wallet's use of what's called a Secure Element (SE) for storing and encrypting sensitive information such as credit card numbers. Researchers found it fairly easy to examine the data stored on the SE, which included Unique User IDs (UUID), Google account information, Cloud to Device Messaging account information, Google Wallet Setup status, Card Production Lifecycle (CPLC) data, and PIN information. "The linchpin, however, was that within the PIN information section was a long integer 'salt' and a SHA256 hex encoded string 'hash,'" Rubin wrote.
The brute-force program developed by the team exploits the presence of that hash and salt to flawlessly crack the Google Wallet PIN.