Google challenged on Wallet PIN flaw

Google may have solved its issue with prepaid cards on Wallet, but an earlier flaw thought to be restricted to rooted phones may have more serious repercussions.

Google may have solved its issue with prepaid cards on Wallet, but an earlier flaw thought to be restricted to rooted phones may have more serious repercussions.

(Google Wallet at Peet's image by kennejima, CC BY 2.0)

Wallet was exposed to two flaws last week, the first of which — discovered by security researchers at Zvelo — allowed malicious users to obtain the PIN required to open the Google Wallet application if the user's smartphone had been rooted. The second flaw was discovered shortly afterwards by The Smartphone Champ, which realised that resetting Wallet would result in users being prompted for a new PIN, and allow them to use the prepaid card associated with the device.

This second flaw was seen as serious, due to the ease with which it could be exploited, and was quickly fixed after Google temporarily froze the provisioning of prepaid cards over the weekend.

But the first flaw, which was considered as being a lower threat, since it required users to have rooted their devices, may have more serious repercussions.

Google's initial advice at the time of the first flaw was that "the product is not supported on rooted phones", and that users should follow best security practices, such as putting in place screen locks. It was considered sound advice, due to the fact that rooting a phone typically results in the PIN being wiped from the device, and it led many users to believe that if they maintained their phone in a stock condition, they would be safe.

However, Zvelo security researcher Joshua Rubin has challenged the idea of unrooted phones being secure, writing on Zvelo's blog that due to other vulnerabilities in the latest version of Android, a malicious application could root a device without wiping Wallet's PIN information, leaving the users ignorant to the fact that their phone has been rooted and at risk of being hacked.

"Privilege-escalation vulnerabilities can be exploited without physical access to the device. Malicious apps could gain root privileges, read any data on the device and send it back to a server on the web — and it can do all this silently. All a user would have to do is install a malicious app, then all bets are off," Rubin wrote.

To allow others to verify this claim for themselves, Rubin linked to the third-party proof-of-concept code that Zvelo had used to test its theory.

Despite this, Google is still standing by its initial advice to users.

"The recent comments about rooting phones underscore our earlier recommendations that best security practices for using Google Wallet are essential. We strongly advise all users to set up a phone screen lock as an additional layer of protection for Google Wallet. If you lose your phone or suspect an unauthorised transaction, please contact Google Wallet Support to disable your cards," the company told ZDNet Australia.

These measures may be sufficient for the time being, considering that there have been no reported cases of fraudulent transactions exploiting Wallet.

In addition, the company isn't hiding behind the idea that if users root their device, then it's their own fault. The company is taking action to secure this flaw, and has told ZDNet Australia that it is "currently investigating alternative methods for storing the PIN". While it was unable to elaborate on what that fix might involve, Zvelo has previously suggested that Google should move PIN verification to inside the encrypted secure element on devices, which only runs digitally signed code.

It is possible that complications or reluctance to take responsibility for PIN security will have an effect on the worldwide roll-out of Wallet; however, Google has still not committed to a date for Wallet in Australia.


You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All