Cracking Open Your (Google) Wallet

We suggested earlier that instead of going after the Secure Element chip and the information it keeps safe, attackers would go after the weaker point of the Google Wallet app. Security researcher Joshua Rubin has now created a proof-of-concept app, Google Wallet Cracker, that can recover the Google Wallet PIN on a rooted phone.

Once attackers get your PIN, they have full access to any credit card information stored in the app and they can use your phone to make purchases. As a user of Google Wallet, the main security you see is the PIN. What makes Wallet easy for you to use now makes it easy for attackers to use; they can now spend your money and credit just as if your phone were an ATM card.

How It Works
The vulnerability involves storing an encrypted hash of the Google Wallet PIN in a database that belongs to the app. Because it’s not stored in the Secure Element chip, the only protection is Android’s user ID-based “sandboxing.” Normally malicious apps can’t access files belonging to another app, but once the phone is rooted that protection and any others are gone.

Google Wallet Cracker app checks whether the phone is rooted.

In this case an attacker with root access can reverse-engineer the Google Wallet app’s database format and extract the hashed PIN.

The Cracker app extracts the encrypted hash of the Google Wallet PIN.

Because the PIN is a four-digit code, an attacker can generate all possible PINs (0000-9999), hash them, and compare against the extracted PIN. On a real phone this takes about four seconds.

The Cracker app displays the recovered Google Wallet PIN four seconds after the app was started.

How Do We Stay Safe?
Currently only Nexus S or Galaxy Nexus users can run Google Wallet. Rubin has responsibly disclosed the vulnerability to Google and the company is now working on patching Android to prevent such attacks. The Google Wallet Cracker is not publicly available.

Google Wallet users can take a number of steps to protect themselves:

  • Use a lock code/password, swipe pattern, or face unlock
  • Keep your phone close and in your possession. If attackers don’t have physical access to your phone, they can’t install malicious apps or spyware.
  • Install antivirus software on the phone to protect against unwanted root exploits and spyware