Over the weekend, Google addressed two separate security issues within Google Wallet, one which takes some skill and knowledge to exploit, and one that anyone searching the lost and found box can exploit – assuming they are aware of it.
The first issue, discovered by researchers at the security firm zvelo, allowed them to discover the Google Wallet PIN, after brute forcing the application’s SQLite database. In order for this trick to work, the device must first be rooted, and after that, the cracking application must have the UID matched to the UID of Google Wallet or 0, something that zvelo did not mention in their report.
“zvelo feels that the fact that this attack requires root permissions does not in the least bit diminish the risk it imposes on users of Google Wallet. Our reasoning is simple: Presently, the PIN is easily revealed, but with the proper fix in place, the PIN will be nearly impossible to crack. It is as simple as that,” the company said in their initial report.
When asked about the vulnerability, Google pointed out something many of those who take pride in their rooting skills noticed immediately, namely that in order for it to work, the device had to have been rooted, and its security stripped. “The zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device,” a Google spokesperson told SecurityWeek via email.
In addition, the spokesperson noted that to date, there are no known methods available to take a consumer phone and gain root access, while preserving any Wallet information – including the PIN.
“We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone.”
The second vulnerability concern deals with unauthorized access to a device. Anyone who does not lock their screen, and happens to have their Google Wallet-enabled smartphone fall into someone else’s hands, could not only lose the hardware itself, but all of the money associated with the Wallet account.
This is because the Google Wallet information, such as balance, is linked to the device itself, and not a person’s Google account. In order for it to work, all an unauthorized user needs to do is reset the Wallet settings in the application’s menu. Once that is done, they’ll be prompted to enter a new PIN, which would enable them to access the funds associated with the device itself.
Google is aware of the issue and working to fix it. In the meantime, in addition to not rooting the device itself, the use of screen locks is a highly – they are willing to beg here – encouraged act.
“…to address an issue that could have allowed unauthorized use of an existing prepaid card balance if someone recovered a lost phone without a screen lock…we temporarily disabled provisioning of prepaid cards. We took this step as a precaution until we issue a permanent fix soon,” said Osama Bedier, the VP of Google Wallet and Payments.
Moreover, if you are a Wallet customer, and you happen to have your device stolen or you lose it, you can protect yourself by reporting this fact to Google Wallet Support at 855-492-5538.
