Two separate methods to hack into Google Wallet were discovered in February.
This is according to Kaspersky Lab, which adds that data security professionals had initially voiced concerns about the mobile payments app.
The company says the first method involves hackers gaining root access to the PIN hash, which can be done once they have access to the phone because the PIN hash is stored on the phone's file system.
Joshua Rubin, a senior engineer at zvelo, who discovered the vulnerability, says that because the Google Wallet PIN can only be a four-digit numeric value, access to the wallet can be gained using a brute force attack, which requires that the hacker systematically check all possible PINs until the correct one is found.
Rubin adds that, in this instance, a brute force attack would require only 10 000 calculations. “This is trivial even on a platform as limited as a smartphone. Proving this hypothesis took little time,” he says.
Kaspersky says Google Wallet can also be accessed without attackers even having to hack the system or obtain root access. It explains that, on lost or stolen phones, a vulnerability on the Google Wallet app itself can be exploited.
It adds that by using the app properties menu and deleting all data pertaining to the Google Wallet app, a user can reset the PIN. Once the data has been deleted, the app will request a new PIN without the user needing to enter the previous PIN.
Senior malware analyst at Kaspersky, Denis Maslennikov, says these vulnerabilities were reported to Google, which suspended Google Wallet operations and later announced that the app's glitches had been fixed and the service updated.
Questionable architecture
According to Daniel Cuthbert, assessment manager at SensePost, both the vulnerabilities were possible because the method used to store the PIN was not as secure as it should be. “The application architecture decisions are questionable,” he says.
Google has also made other questionable architecture decisions regarding its Google Wallet application, Cuthbert points out. He says there is no encryption of personal information or payment history. Furthermore, Cuthbert says it is possible to access sensitive user data from the phone because the database that stores this data is also not encrypted.
He says storage on smartphones is flawed in general. It is not specific to Google, or even mobile wallet applications, and app developers must make a substantial effort to encrypt data on smartphones.
Mobile versus physical wallets
Cuthbert warns consumers to be as protective of their mobile wallets as they are of their physical wallets. He stresses that both Google Wallet flaws required access to the handset. “Basic security steps can be taken to ensure the device is rendered useless if found,” he says.
Maslennikov says mobile security features like privacy protection, remote wipe or blocking of lost or stolen devices, encryption, cloud security, anti-spam filters and anti-virus engines help mobile devices reach a high level of security. However, he warns that mobile devices are no safer than personal computers.
Cuthbert advises consumers to create a separate card, with limited funds, for all digital wallets. “This way, if the handset is lost and compromised, you have limited the financial risk,” he says.
For an explanation and video demonstration of the PIN exposure vulnerability, click here.
Share