Joshua Rubin, a security engineer with zvelo, disclosed his research into the (in)security of Google Wallet.
Google Wallet is a new near field communication (NFC) electronic wallet that allows customers to pay for everyday purchases by entering a PIN on their Android smartphone and tapping it on a receiver, similar to Mastercard PayPass.
What Rubin discovered is that a lost or stolen Android phone with Google Wallet configured is nearly as bad as handing over your credit card to whomever finds it.
The design of Google Wallet is such that the critical information like your account number is stored in a special hardware component of the phone called a Secure Element (SE).
Unfortunately the PIN required to complete transactions is not stored on the secure element, but instead is stored as a salted hash on the device itself.
What, you might ask? Chester, you are always lecturing us on how salted hashes are the way to go when it comes to securely storing passphrases!
That is true, but the issue here isn’t so much the hashing method, it is the lack of entropy. A passphrase can, and should, be long and contain a bit of variation making it hard to compute in a reasonable amount of time.
Google Wallet is designed so that you get only six tries to input your PIN before the device will wipe your credit card details from the SE.
The trouble is the salted hash of your PIN is stored on the filesystem of the phone and Android phones are trivial to root. With root access you can bruteforce the PIN without using any of your official attempts.
PINs are only 4 digits. 10,000 tries is trivial to attempt every combination, even on the smartphone itself and that is exactly what Rubin has done.
Demo of Google Wallet Cracker
Rubin concludes that the correct solution to the problem (which he responsibly disclosed to Google) is to store the PIN on the SE itself. It appears that Google agrees, but things aren’t always as simple as they might appear.
Enter the lawyers… Moving the PIN off of the phone’s filesystem and onto the SE results in a “change of agency”. This means the responsibility for keeping the PIN secure shifts from Google to the banks responsible for the SE.
What does this mean for Google Wallet users?
Well, if your phone is lost or stolen you should consider treating it like a lost or stolen credit card and report it immediately to both your credit card issuer and mobile phone company.
A determined thief could easily recover the PIN and make purchases given enough technical know-how.
Hopefully Google can iron out the details with the banks for moving the PIN onto the Secure Element and patch this flaw before it is widely exploited.