Google Wallet locked after flaw found

The tech giant disables prepaid card use on its Wallets after a researcher finds a security hole.

Mobile wallets

Google has disabled the use of prepaid cards in its Wallet service after security researchers claimed a flaw in the technology could allow a hacker to acquire the user's PIN number.

The company temporarily disabled provisioning of prepaid cards for Google Wallet as a precaution until a permanent fix was found.

Advertisement - Article continues below

Despite the action and the research that inspired it, Google claimed its Wallet was perfectly safe to use. It said security issues were more likely to arise if users rooted their phones.

We were able to uncover the contents of the binary data and were shocked at what we found.

"People are asking if Google Wallet is safe enough for mobile phone payments. The simple answer to this question is yes. In fact, Google Wallet offers advantages over the plastic cards and folded wallets in use today," said Osama Bedier, vice president of Google Wallet and Payments, in a blog post.

"But sometimes users choose to disable important security mechanisms in order to gain system-level root' access to their phone; we strongly discourage doing so if you plan to use Google Wallet because the product is not supported on rooted phones. That's why in most cases, rooting your phone will cause your Google Wallet data to be automatically wiped from the device."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The flaw itself did require root privileges to succeed.

Finding the flaw

Joshua Rubin, a senior engineer with zvelo, claimed to have found the vulnerability in Wallet after looking through a "metadata" table in the database used by Google Wallet.

After cracking open the "deviceInfo" row within that table, he uncovered plenty of valuable information.

"We were able to uncover the contents of the binary data and were shocked at what we found," he explained in a blog post.

"Unique User IDs (UUID), Google (GAIA) account information, Cloud to Device Messaging (C2DM, also known as "push notification") account information, Google Wallet Setup status, "TSA" (this is probably related to "Trusted Services" not the "Transportation Security Administration") status, SE status and most notably "Card Production Lifecycle" (CPLC) data and PIN information."

Subsequently, Rubin discovered in the PIN information section a long integer "salt" and a SHA256 hex encoded string "hash." All he had to do then was run a brute force attack to determine the PIN itself.

Advertisement - Article continues below

"It dawned on us that a brute-force attack would only require calculating, at most, 10,000 SHA256 hashes. This is trivial even on a platform as limited as a smartphone. Proving this hypothesis took little time," he added.

"Google Wallet allows only five invalid PIN entry attempts before locking the user out. With this attack, the PIN can be revealed without even a single invalid attempt. This completely negates all of the security of this mobile phone payment system."

Rubin said he had been in contact with Google and the company said it was working quickly to resolve the issue.

The researcher suggested Google may have some trouble in releasing a proper fix as it needed to move the PIN hash and salt details into the Wallet's Secure Element (SE), used to store and encrypt sensitive data like credit card information. This would take time and mean additional financial costs for banks allowing customers to use the service.

Advertisement - Article continues below

"At present, the decision is in the banks' hands. They may actually choose to accept the risk imposed by this vulnerability rather than incur the financial and administrative overhead of allowing Google to release a proper fix (and thereby potentially put the banks on the hook for the PIN security)," Rubin added.

"zvelo feels that this would be a grave mistake and would expose users to undue risk."

It appears Google has been given time to resolve the issue.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement
Advertisement

Recommended

Visit/security/ransomware/355909/microsoft-issues-warning-about-new-ponyfinal-ransomware-attacks
ransomware

Microsoft issues warning about new PonyFinal ransomware attacks

3 Jun 2020
Visit/security/data-breaches/355908/amtrak-guest-reward-suffers-a-data-breach
data breaches

Amtrak Guest Reward suffers a data breach

3 Jun 2020
Visit/security/cyber-security/355903/brand-impersonation-and-form-based-attacks-are-rising
cyber security

Brand-impersonation and form-based attacks are rising

3 Jun 2020
Visit/mobile/mobile-security/355889/parachute-introduces-superlock-feature
mobile security

Parachute's Superlock feature keeps your phone recording in an emergency

2 Jun 2020

Most Popular

Visit/security/ransomware/355891/nasa-it-contractor-ransomware-hack
ransomware

Ransomware collective claims to have hacked NASA IT contractor

3 Jun 2020
Visit/security/exploits/355866/critical-vmware-cloud-director-exploit-lets-hackers-seize-corporate
exploits

VMware Cloud Director exploit lets hackers seize corporate servers

2 Jun 2020
Visit/data-insights/data-science/355678/how-data-science-is-transforming-business
Sponsored

How data science is transforming business

29 May 2020