Home

Share this Story

Report: Google Wallet PINs May Be Vulnerable on Rooted Devices

According to malware analytics group zVelo, Google Wallet PINs may be vulnerable if your phone is rooted. From their research and the video demo below, you will see that a simple .apk can be installed onto a rooted phone that can access PIN information, opening up your Wallet app to intruders should your phone fall into the wrong hands. The chances of that happening are obviously incredibly low, but we thought that you should all be aware of the situation.

zVelo was kind enough to contact Google ahead of this report and confirmed that this vulnerability does indeed exist. They worked to figure out a fix which turned out to be moving PIN verification into the SE (secure element) of the NFC chip in your phone. While this is apparently not that big of a deal on the fixing front, it could move the responsibility of PIN protection onto banks rather than Google, something that zVelo is not a fan of.

YouTube Preview Image

That was obviously the briefest of summaries. If you would like to read the long version with technical secure details, hit up the source link below.

In the mean time, we’ll toss out some ways that you can protect yourself. First, don’t root your phone (like that’s going to happen). Second, don’t lose your phone. Third, if you do plan on losing your phone, use something other than slide-to-unlock to protect your phone. Fourth (and for the 100th time), don’t download shady apps from shady 3rd party markets who ask for random internet permissions.

Via:  zVelo

  • http://profiles.google.com/bhinson15 Brandon Hinson

    Glad this info is out there so Google can fix it… but really the craps I give about my pre-payed Google card is far less then the craps I give about not having my phone.

  • Jdstell

    Oh God NO!!!!

    Someone could potentially figure out my pin code to unlock my phone, know that I have Google Wallet, then have the technical know-how to install an apk to find out my Google Wallet pin, and have access to all $19.91 of my McDonald’s and 7-11 Slurpee fund on my Google pre-paid card! The humanity!

    The wallet in my back pocket is a far greater liability as far as I’m concerned.

  • Anonymous

    Doesn’t matter to me, I havent been able to use Wallet since my Secure Element locked me out

  • http://justessay.com/ essay writing service

    Very nice!

  • http://buyresearchpaper.org/ research paper

    Good!

  • OMJ

    unrooting your phone is a terrible safety measure for this considering someone can just root it when they find it. Pin or face unlock is the best safety measure against something like this if you use wallet

  • Josh Groff

    Wait, so if something is stored on an electronic device, it may be vulnerable? Not truly a shocker.

  • Anonymous

    Oh hey look – yet another reason not to root.

    • OMJ

      if someone has your phone they can root it. Not rooting is not protection at all here

  • http://twitter.com/Chasemanhattan3 Chase Chick

    So let’s run through the steps I would have to go through.  

    1.  I would have to lose my phone.  This could happen, but the hacker better work fast because I have seekdroid on my Gnex so I would be able to find it fairly quick, unless they were smart enough to turn it off, data wipe it, or disable SeekDroid somehow.  
    2.  A criminal would have to find the phone.  Low percentage considering most people are not criminals.
    3.  The criminal would have to be pretty tech saavy himself.  Even lower percentage because most criminals are idiots.  The research suggests that the average IQ in jail is 85.  This is not an accident.
    4.  Criminal must not only be tech saavy, but have a background in coding, and know exactly what he was looking for.  Then MAYBE he could get my pin and spend the remaining 30 bucks or so I have put on the app at the gas station, because the gas station is one of the only places I have found that do paypass.  I guess he could drive through the airport toll booths too!

    I will take my chances of this a billion times out of a billion.  In fact, I would be willing to bet that this event that we are all up in arms over, NEVER HAPPENS NO ONE SINGLE TIME EVER!

    • ThatGuy

      Yes, for now.

      The problem lies in the future where someone could develop tools that would allow a non-tech-savvy person to exploit vulnerabilities like this. If NFC chips become ubiquitous and the usage of cellphones as payment devices increases, you can bet every exploit possible is going to be blown open.

    • Anonymous

      You have absolutely no imagination. Al you need to do is download some rouge app that will send your encrypted NFC code with device id to a dynamic website and then bye bye hard earned cash :)

      • Chauncy

        False, the actual credit card info (a.k.a. cash spending info) is still locked away on the secure element of the device. This exploit only allows a thief to use the physical device in hand to pay for things once they’ve acquired your pin. Sure they could steal your pin and send it back to some server, but that’s all they’d get. Can’t buy things with just a pin.

    • Anonymous

      This is mainly true, for now. If and when something like NFC takes off, criminals will steal your phone instead of waiting for you to lose it. All in all, though, it’s just like having a wallet right now except it also does awesome things instead of simply holding your stuff.

      So, in the not too distant future, a criminal will steal your phone and immediately put it in airplane mode. They’ll then plug it into a Linux box and extract everything and/or use something like ADB to work the device remotely. You say criminals are stupid on average, and that’s true, but there are still some smart ones out there. Plus, you don’t have to be smart to have a base, technical proficiency. Once these things get popular expect the smart criminals to code some tools to exploit them and then the dumb criminals can simply use those tools. It takes a smart person to design a great firearm, but any mongo can pull a trigger.

  • http://twitter.com/shaneplawson Shane Lawson

    didnt see somthing like this happening

  • Tylerwatt12

    Google wallet NFC payments only allow $20 maximum per transaction withdrawals. The CC number and pin are still in the secure element. Which is secure…

  • http://twitter.com/Chasemanhattan3 Chase Chick

    average iq in jail is 85. aka, criminals aren’t this smart…

  • Anonymous

    So based upon this report, someone who steals my phone could also root the phone, then install an apk to get to my Wallet pin. Seems like a lot of work and a smart criminal.

    • Josh Groff

      Especially since they just got a free phone, they’d probably just wipe it.

      • Anonymous

         +1 ^
        If I was a criminal I would not care about Google Wallet at all. Users usually carry no more than $30 pre-paid. more logically, I just found a $600 phone LETS SELL IT but wait…. I can’t even do that if  I wanted since Verizon has a black list for reported stolen phones… duh

        • Josh Groff

          You can sell a phone with a flagged esn. I’ve seen them on eBay.

  • http://profile.yahoo.com/3IQ4AHM4EVPG2VBGLMDHA3CLDQ Sam

    mÿ roomate’s sister-in-laẅ makes $70 every hour on the laptoṗ. She has been without a job for 8 months but last montħ her check was $7707 just working on the laptop for a few hourŝ. Read more on this site… LazyCash5.Com

  • Blootzm3

    the real issue is that google wallet will never be officialy suported on the verizon network

  • Anonymous

    “They worked to figure out a fix which turned out to be moving PIN
    verification into the SE (secure element) of the NFC chip in your phone.”

    Shouldn’t something like the PIN have been in there in the first place??

  • ddevito

    This is Verizon trying to scare us.

    Sorry, didn’t work

  • Anonymous

    If you leave your physical wallet somewhere, it’s also vulnerable to intruders.

    • http://www.facebook.com/profile.php?id=25001493 Hank Godwin

      But your debit card’s PIN number isn’t.

      • Anonymous

        Hit credit, sign name, done… no pin needed.

    • Tom

      Swiping your credit card anywhere leaves your card vulnerable. 

      • Anonymous

        Actually, new CC encryption regulations require that the data be encrypted from the moment of read from the card (as opposed to the moment the data is sent over the network).  This was put into effect for the exact reason you’re eluding to…hackers using the actual card swiper to obtain the information. Not really relevant to the thread, but an interesting fact.

        • Anonymous

          That’s what it’s all about. CC encryption regulations. I hope that everyone complaining about Verizon blocking this functionality now maybe realizes exactly why. It’s not secure–yet. Something innately wrong with leaving a phone lying around with superuser permissions …hrm…it’s too obvious.

          • Chauncy

            This has absolutely nothing to do with Verizon blocking Google Wallet. This exploit just came out….Verizon has been blocking Google Wallet for months. The issue lies in that Verizon is investing in their own mobile payment solution (ISIS) and doesn’t want Google to have control of the market space when Verizon finally releases their solution. Smells like anti-trust, and so I’ll continue to complain about big brother Verizon so long as they keep over stepping their bounds.

            p.s. just about anything is more secure than the current mag strip CC system. 

          • Anonymous

            AAAGT! Wrong answer. Crappy security or not, it needs to be PCI compliant. Verizon is a huge company who knows how to follow laws. Their lawyers know what complies and what doesn’t more than you I’d wager.

            These contracts are still through credit cards and their massive agencies and Verizon would have to answer to Visa, MC, etc. In order to comply they have to follow PCI standards.
            https://www.pcisecuritystandards.org/hardware_software/

            I’m willing to bet their ISIS solution includes PCI compliance whereas Google wallet as we’ve seen has holes. I’m not saying that Google wallet won’t be awesome eventually but they need to get their stuff together.

          • Chauncy

            One hole thus far, compared to hundreds of vulnerabilities with traditional credit cards.

            I will continue to support Google Wallet because I have been persuaded that it is more secure than traditional cards, not to mention innovative. Until I can be given reasons to the contrary I’m with Google Wallet.You do make one valid point tho, Verizon doesn’t like to answer to anyone.

        • Tom

          That doesn’t prevent card reading devices that some jerk-off placed in a card swipe terminal. The only time you can be *absolutely* sure that one isn’t there is when you dip your card. Considering that a good portion of card readers don’t have that, its still very much insecure. This is why I use Blink or any other chip type payment method when possible. It is more secure and carries more encryption. I will revel in the day when the very insecure magnetic strip goes away in lieu of encrypted chips.

    • http://profile.yahoo.com/ULZGF6AHT3PNVNTDRJ7U3XLGEM Patrick

      mŷ budḋy’s step-sister makes $76 every hour on the ĺaptop. She has been fired from work for 5 months but last ṁonth her paycheck was $7718 just working on the laptop for a feŵ hours. Go to this web site and read more… LāzyCåsh5.ċom

    • Jdstell

      Exactly. This is a non issue as far as I’m concerned.

  • DorkusMaximus

    but the rooters have no real money anyway.  all cheap bastards wanting free phones and open software. so what’s the bfd?

    • Dliuzzo110

      ^^^ ha ha ha.clueless much?

    • Josh Groff

      Which is why I have multiple rooted androids? To be fair, I do have outstanding first year college debt, but that’s expected.

  • Chimera

    Removing Google Wallet and unrooting phone now!!!

    NOT

    The risk is worth the reward.

    • http://them3blog.wordpress.com/ Abel

      Nfc is already a cool thing to do. Only needs Apple “blessing ” and everyone will be OK with it. Even better if you don’t pay with your phone e you are not cool

      • Tim242

        it doesn’t need apple’s blessing. .it just needs to be blessed on more phones, period.

        • http://them3blog.wordpress.com/ Abel

          I was being a bit sarcastic

        • http://www.facebook.com/profile.php?id=25001493 Hank Godwin

          No, I believe the only way NFC takes off is if Apple implements it on the next iPhone.

          • mons

            One of my local gas stations had a sticky sign on the door…”now accepting Google Wallet.” Made me happy.

            But I agree, NFC won’t take off until it’s in an iPhone, unfortunately.  So far, a few big grocery chains and gas stations have NFC, but I don’t think it’s going to rapidly spread to other places until Apple adds it.

      • Anonymous

        You ain’t cool unless you pee your pants.  Peeing your pants is the coolest.

        • Earl Echols

          O’Doyle rules!

        • Chauncy

          If peeing your pants is cool, then I’m Miles Davis.

  • http://twitter.com/Zfwaeld Zfwaeld Zfwaeld

    Even if you don’t root your phone, what’s to stop a thief from doing so?

    • Nick

      Rooting wipes the device.

      • http://twitter.com/Zfwaeld Zfwaeld Zfwaeld

        Not on all devices. I suspect (can someone confirm?) that rooting only wipes the device when “oem fastboot unlock” is used.  Many Samsung phones can be rooted by flashing a root-enabled kernel through Odin, and there are others for which root is obtained via an exploit, which usually aren’t wiped either. 

        • http://them3blog.wordpress.com/ Abel

          All devices with NFC …. you can use other methods but you need most need to pass that lockscreen tho

        • RW-1

          How many other Samsung mobiles out there with NFC and wallet are you referring to?

          You must unlock to root the gnex, unlocking wipes it. Done.

      • Chauncy

        Rarely does rooting wipe a device. 

        http://lmgtfy.com/?q=How+to+root+my+phone

  • http://www.youtube.com/kimirPORTALS kimir

    Isn’t there an app that you can use to disable permissions?

    • http://twitter.com/kirilv Kiril

      Nope, not after someone steals your phone. I think the one you are thinking of is the app that disables permissions while the phone is in your possession, on apps you already have installed.

      • http://www.youtube.com/kimirPORTALS kimir

        yes. What is that app?

    • TC Infantino

      There is an app that you can remote wipe your phone though.  I believe Lookout Security, once installed on your phone and on your PC, will allow you to wipe your phone remotely via the program on your PC.

      • Anonymous

        Won’t matter if someone in the know steals your phone. The first thing they’ll do is put it in airplane mode. No wipe possible, no tracking possible. Someone said it best earlier: if your phone gets lost or stolen, you treat it like your wallet got lost or stolen. I guess that makes sense as it’s Google Wallet we’re talking about, here.

  • http://twitter.com/kirilv Kiril

    Couldn’t Google use the password manager of the phone for the pin instead of storing it in the secure element? I was under the impression that he password manager is encrypted.

    • Casey Megginson

       The pin is stored as a cryptographic hash which I doubt the password manager bothers to do. They’re talking about doing a brute-force attack, which wouldn’t take long with only 10,000 possibilities.

      • http://twitter.com/kirilv Kiril

        Well, as far as I know, the password manager hasn’t been hacked yet, so it must be doing something right. Plus, why wouldn’t it store it as a hash? A ton of other software does.

        Also, I just ran the brute force now. It takes 1.399 seconds using JavaScript and V8 — it would be even faster in compiled form. That’s faster than the load time for most apps. However, how is this going to be different than if the pin is stored in the secure element?

        • Casey Megginson

           Because if you’re storing a password to use to log on to a service, you’d think that you’d need it in plain text, but you should be able to store it as a hash if their authentication works in a reasonable way. In any case, I doubt it’s so much that the password manager hasn’t gotten owned as it is that the entropy on a 4 digit pin is so low that brute force becomes trivial.

          • http://twitter.com/kirilv Kiril

            It’s been a while since I’ve done cryptography, but I very much doubt that passwords are stored as plain text. They would be encrypted using the master key (the manager password), which is itself probably stored as a hash.

            Further, the pin hash is produced by an open and known library. This is no what produces the security then, and in itself, the hash is irrelevant. The real vulnerability is storing it in a regular sqlite3 database. What these people actually did was pull the value out of the database, so if they can’t pull the value, they can’t use brute force to crack it.

            Storing that same hash in the encrypted password manager adds that nice bit of extra security. If they, however, store the hash in the secure element, that means that (a) they have to expose a system for communicating with the secure element — which could in turn be exploited — or (b) they have to have the banks remotely authenticate the user — which means you need a data connection, and worse, expose the hash to the internet (and SSL has already been hacked). Neither of those systems is inherently more secure than storing the hash in the password manager.

  • Nybandit2000

    Oh my! I hope someone don’t take the free $10 I got for starting a Google prepaid card. Lol

  • CyberPete

    The problem is not the .apk that the tester installed. If you are root, and somehow; OTA, SMS, malware from side-load OR market, BT or WiFi proximity exploit, gets on your phone, you’re going to get pwnd. Be aware.

    • Chauncy

      Not unless the unruly character gets a hold of my phone. Without touching my phone, and fully using this exploit, worst they can do is get my pin. Can’t spend money with just a pin. 

  • Anonymous

    Pro tip:  When some strange app requests SU permission click NO.

    • Anonymous

      There talking about if someone physically stole your phone.

      • Anonymous

        In which case you need to take the same actions as if you lost your wallet.  If you (not you personally) aren’t OK with that, then you shouldn’t use the app.

  • Anonymous

    The “via: zVelo” link is broken.

    Also, what exactly is the malicious .apk doing? Is it just getting root permissions and reading the shared_prefs file?

    • Stephen

      They found the exact file that “hides” the pin and they run a computation to decrypt it.

      • Anonymous

        the malicious app needs to be granted sudo permissions though, right?

        • Stephen

          It won’t work on non-rooted as far as I could tell from their post.  I would assume that installing the .apk would ask for some sort of root permissions though.

          • http://twitter.com/kirilv Kiril

            It does not work on non-rooted phones, since you need root to get past the per-app permissions of sqlite3, so you are right. And yes, it will ask for root permissions. However, no one should be worried about their pin being stolen remotely — there is no point in doing so. This only demonstrates that at its worst, Google Wallet is no more secure than a standard wallet.

      • Casey Megginson

         They weren’t decrypting it, as it’s not possible to decrypt a cryptographic hash. They were doing a brute-force attack on the hash, and 10,000 possibilities wouldn’t take more than a couple minutes to do.

    • http://www.droid-life.com Tim-o-tato

      Fixed :)

    • http://www.droid-life.com Tim-o-tato

      Fixed :)

  • S Bosworth

    REALLY? If you didn’t expect inherent security issues when running an unapproved .apk on a rooted device, you’re too stupid to use a smartphone anyway and should just quit 

  • Anonymous

    The fact that this has to be explained makes me sad.  You circumvent the security on your device, inherently it will be less secure.  

    That is a risk we take when doing this.