Researchers at security firm Zvelo discovered that Google Wallet PINs can be cracked through brute force methods - though only on rooted Android devices. A blog post made Wednesday by Joshua Rubin of Zvelo detailed the vulnerability.
While cell phone-based payment systems are growing quickly, with Google Wallet being just one of many options for smartphone users, most Android device owners probably shouldn't be too worried about this newly discovered security flaw. First of all, most Android devices aren't rooted, which is a requirement for this vulnerability to work. If you don't know what "rooted" means, it's very likely your phone isn't.
On top of this, physical access is also a requirement because a password cracking software application must be installed on the device. According to Google, a device will wipe itself of data if someone tries to root a device without the owner's permission.
Rubin explained in the blog post that with a 4-digit PIN, a brute force attack only requires calculating at most 10,000 options, which is a trivial task even for smartphones. With the Google Wallet cracker application they wrote, a user's Google Wallet PIN can be revealed in mere seconds, bypassing the five attempts allowed for invalid PIN entries by Google Wallet.
Google released a statement on Zvelo's findings to The Next Web:
The zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device. To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN.
We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone.
A video of the vulnerability in action can be viewed below: