Google Wallet PIN vulnerable on rooted Android devices

Researchers at security firm Zvelo discovered that Google Wallet PINs can be cracked through brute force methods - though only on rooted Android devices. A blog post made Wednesday by Joshua Rubin of Zvelo detailed the vulnerability.

While cell phone-based payment systems are growing quickly, with Google Wallet being just one of many options for smartphone users, most Android device owners probably shouldn't be too worried about this newly discovered security flaw. First of all, most Android devices aren't rooted, which is a requirement for this vulnerability to work. If you don't know what "rooted" means, it's very likely your phone isn't.

On top of this, physical access is also a requirement because a password cracking software application must be installed on the device. According to Google, a device will wipe itself of data if someone tries to root a device without the owner's permission.

Rubin explained in the blog post that with a 4-digit PIN, a brute force attack only requires calculating at most 10,000 options, which is a trivial task even for smartphones. With the Google Wallet cracker application they wrote, a user's Google Wallet PIN can be revealed in mere seconds, bypassing the five attempts allowed for invalid PIN entries by Google Wallet.

Google released a statement on Zvelo's findings to The Next Web:

The zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device. To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN.

We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone.

A video of the vulnerability in action can be viewed below:

Report a problem with article
Previous Story

Windows 8 Consumer Preview to be build 8250?

Next Story

Remember the N9? It's not dead; Huge update coming soon

15 Comments

Commenting is disabled on this article.

fud. google wallet is fine. lock your phone, and don't give it to your moron friends to download the app to and you're fine. the sky is not falling

I have a rooted Samsung Galaxy Nexus and Google Wallet. Am I scared? HELL NO. Because I am not an idiot. Put a password on your lock screen people. If you didn't think of that before, go to a mobile OS that is dumbed down for you.

'...must be rooted...'

Yes, assuming android OS itself doesn't have any hidden or unknown bugs that would allow a program to escape it's virtual 'jail' and run as a root process... Oh wait, such bugs do exist.

Chugworth said,
What? You mean personal data is vulnerable on a rooted phone with the lock screen disabled? You're kidding!

not only vulnerable but people can make payments like a credit card.. This is pretty serious if people can spend a ton of your cash without your knowledge.

Chugworth said,
What? You mean personal data is vulnerable on a rooted phone with the lock screen disabled? You're kidding!

I thought that any security vulnerability was bad. Download some software, install it on your computer, and if it accessed any data on your computer it was bad. At least that was what the Linux (which android is based upon) and Apple fans would say about Windows. But I guess we live in a different time, when malware on non-Windows platforms accessing your data is OK (unless it is on Windows, which is still an insecure mess, right?)

Lachlan said,

not only vulnerable but people can make payments like a credit card.. This is pretty serious if people can spend a ton of your cash without your knowledge.

Only if you use google wallet.... of which I don't.

nohone said,

I thought that any security vulnerability was bad. Download some software, install it on your computer, and if it accessed any data on your computer it was bad. At least that was what the Linux (which android is based upon) and Apple fans would say about Windows. But I guess we live in a different time, when malware on non-Windows platforms accessing your data is OK (unless it is on Windows, which is still an insecure mess, right?)

No, see, if there's a vulnerability on Linux, it's only there when a responsible user responsibly opens up his system in a responsible, educated way.

When there's a vulnerability on Windows, it's 'operator error'.

I know what you're thinking. The actions of the user vs. operator error sure sound like different ways of saying the exact same thing, but I assure youOHGODWHATSTHATBEHINDYOURUNAWAY!!!