Google Wallet PIN Falls to Brute Force Hack Attack

[dgstorm]

[video=youtube;P655GXnE_ic]http://www.youtube.com/watch?feature=player_detailpage&v=P655GXnE_ic[/video]​

It looks like the Google Wallet service has a security vulnerability that can be exploited to crack your PIN. It's important to note that several things have to lineup to make this happen. Here's how it breaks down, and all of these things must be true for the vulnerability to be exploited:

1. You have a phone with Google Wallet set up (currently the Nexus S and Galaxy Nexus)
2. Your phone is rooted
3. You don’t use lock screen security (PIN, pattern, face unlock, etc)
4. You lose your phone

Here's how the exploit works. Basically, Google Wallet stores your pin using a SHA256 hex-encoding. This means all that you need is a a brute-force attack to crack the encryption. You simply need to generate at most 10,000 SHA256 hashes, which would be easy for a smartphone to accomplish.

Unfortunately, there is no easy way for Google to fix this security flaw. There are at least a couple of viable options for them. One is to offload the PIN security to the banks. However, more than likely the banks are loathe to do this, because it would mean more costs for them, and would also mean you would have to trust your bank's security system more.

Another idea proposed is to change it from a 4 digit pin to a more secure password with a minimum of 6 digits and a mix of letters and numbers. Unfortunately, this isn't the ideal solution either, since typing in a long password could be time-consuming when you are waiting in line at a check-out counter. Additionally, the long password option could kill it as a viable idea, because it over-complicates the process, which would likely turn-off a lot of consumers.

Because of these issues, it is unlikely we will see anything done initially to deal with this problem, especially since a number of things must occur for this to be possible. Of course, as more phones get the NFC technology, the risk factor goes up. Ultimately, it really depends upon the user not losing their phone, and/or setting a lock screen on it. It's also obvious to point out that this vulnerability only affects "rooted" users, and while that means quite a few of you guys, it doesn't really affect the vast majority of consumers. Above is a video of the exploit in action. Does this make you less likely to utilize Google Wallet?

Source: TalkAndroid

 

[Nealius]

Every cool new toy gets hacked. This is why we can't have cool stuff.
So I lose my phone it gets hacked. Some one gets to spend the little bit of money I keep on my phone. I'm more bummed that I lost my phone. As I say that I'm going to play with my security option and make sure my funding card is not attached to my wallet account

Sent from my GummyNex'd Galaxy Nexus!

 

[wolstonc]

How does being rooted or not change things on this?

Also, I guess I don't worry much, because I wish I didn't have a pin at all. Losing my credit card would still be easier to exploit than this

Sent from my Galaxy Nexus using DroidForums

 

[johnomaz]

I'm sorry, but if you have your credit card info in Google Wallet and do not have a lock PIN or pattern on your phone, you're a dumb ass. Your phone also has to be rooted. Sure, I guess someone could find your lost phone and root it themselves, but come on, what are the chances that someone who finds a phone and decides to steal it will know what rooting is. If I were to use google Wallet, I'd make sure I wasn't rooted and had a screen lock in place. That is, IMO, just common sense. Also, your laptop could get stolen and your bank info could get used if you store it in the browser. Just because it can be hacked doesn't mean its suddenly unsecure. Though honestly, I'm not sure why Google doesn't use some sort of encryption for their Wallet pin numbers.

 

[Chizzele]

I'm sorry, but if you have your credit card info in Google Wallet and do not have a lock PIN or pattern on your phone, you're a dumb ass. Your phone also has to be rooted. Sure, I guess someone could find your lost phone and root it themselves, but come on, what are the chances that someone who finds a phone and decides to steal it will know what rooting is. If I were to use google Wallet, I'd make sure I wasn't rooted and had a screen lock in place. That is, IMO, just common sense. Also, your laptop could get stolen and your bank info could get used if you store it in the browser. Just because it can be hacked doesn't mean its suddenly unsecure. Though honestly, I'm not sure why Google doesn't use some sort of encryption for their Wallet pin numbers.

If someone finds your phone and tries to root it, all info on the phone will be erased including Google Wallet info as part of the rooting process so that is not an issue.

I am rooted, i use Google Wallet and i don't use any pattern lock. I would hate to lose my phone not because i'm worried about Google Wallet but because i'll have to get another phone. The likelihood of anyone finding the phone and knowing how to use this exploit is very slim. Plus i don't have any card information on GW other then Google gift card..

 

[ntrddragn]

I think there are other concern if you were to lose your phone beside GW. like your emails, contacts pictures. store info about yourself, your work etc...lots of people use email (little use GW) and im pretty sure those emails contains sensitive info. I use GW, have pattern lock, not root (now), and only have the google gift card loaded.

 

[B-Unit]

I'm sorry, but if you have your credit card info in Google Wallet and do not have a lock PIN or pattern on your phone, you're a dumb ass. Your phone also has to be rooted. Sure, I guess someone could find your lost phone and root it themselves, but come on, what are the chances that someone who finds a phone and decides to steal it will know what rooting is. If I were to use google Wallet, I'd make sure I wasn't rooted and had a screen lock in place. That is, IMO, just common sense. Also, your laptop could get stolen and your bank info could get used if you store it in the browser. Just because it can be hacked doesn't mean its suddenly unsecure. Though honestly, I'm not sure why Google doesn't use some sort of encryption for their Wallet pin numbers.

I dont understand why having Wallet active doesnt require some type of true security, much like hooking up to an Exchange server with an iPhone requires you to have a PIN. This is a financial instrument Google, not free e-mail. Pull your heads out.

 

[zomnomnombie]

So Google Wallet is like a real wallet? You lose it and you're most likely screwed?

Sent from my R2 unit using DroidForums

 

[mfendley]

Even if you meet conditions 1-4 listed above, you should only be out the amount you have loaded on your Google card (assuming that is your default card). Even if you have another card memorized in order to replenish the funds on your Google card, the CCV is not stored. This data would have to be also subjected to the brute force attack, in addition to the pin. This adds another level of complexity.

 

[xeene]

I use Google wallet, I'm rooted and I don't use lock pin. I do have seekdroid installed on my phone. In the event I would lose my phone(VERY unlikely) all I need is access to any internet pc from which I can either wipe my phone completely or turn on gps or wifi and get exact location of it, or access its info with all incoming/outgoing calls and messages. This is really a non issue if you know what you are doing.

 

[Tonik]

How does being rooted or not change things on this?

To break in they need physical access to the phone, then they need to install their brute force software. That software requires root to be able to access google wallet on the phone.