5,599,539 Members 41,059 Now Online
XDA Developers Android and Mobile Development Forum

Google Wallet PIN Vulnerability

Tip us?
 
miasma
Old
(Last edited by miasma; 15th February 2012 at 04:22 PM.) Reason: Added youtube video, added more info to top, add info on second vulnerability
#1  
miasma's Avatar
Member - OP
Thanks Meter 32
Posts: 80
Join Date: Sep 2009
Default Google Wallet PIN Vulnerability

I am finally able to disclose a major vulnerability I found in Google Wallet.

The vulnerability is that the Google Wallet PIN can be exposed without a single invalid attempt. This renders all the security of the secure element void.

Please see below for our press release, detailed blog posting, demonstration app and source code.

Feel free to ask me any questions or report any issues.

The app is also able to give you some useful information about the state of your secure element. This may be helpful for people with SE issues.

https://zvelo.com/news/press-release...-vulnerability
https://zvelo.com/blog/entry/google-...-vulnerability
http://dl.dropbox.com/u/10770509/WalletCracker.apk
https://github.com/rubixconsulting/WalletCracker

Here is a video demonstration of the vulnerability:


We reported this issue to Google on December 21.

Google has a fix, but it is up to the banks to decide if it will be released. We are hoping the publicity will cause the banks to make the right decision.
Right now, there is a possibility that the fix will never be released.

Google believes that the change required may constitute a "change of agency" regarding who does the PIN verification (if it is done inside the secure element). If the banks then become responsible for the PIN verification, the PIN becomes subject to the same regulations and procedures as an ATM PIN. The banks may choose to accept the risk as is rather than take on the increased cost and overhead associated with the change. Please spread the word so that we might be able to leverage them to make the correct decision.

What can you do to lower your risk profile?
Reset Google Wallet from within the wallet app itself, then uninstall it (this wipes everything from the device)
-- OR -- (any one of these will help, but #1 is the most important)
1. Add a screen lock (not the slide lock)
2. Disable USB debugging
3. Enable full disk encryption
4. Unroot if rooted
5. Use only the stock ROM and ensure it is up to date
6. Install an app that gives you the ability to "remotely wipe" the device if it is lost (lookout is one example)

EDIT: DETAILS OF SECOND VULNERABILITY

Regarding the second vulnerability announced today. This is the issue where, by uninstalling or resetting the Wallet App, and then re-configuring it for the same user, they are given the chance to enter a new PIN and will gain access to the previous user's prepaid card.

We had planned on not disclosing this vulnerability until later, but since it is already public, I can report that we were aware of it as well.

We reported it to Google on January 4th and they are presently working on a fix for it.

The fix involves, partially, linking the prepaid account to the users GAIA (Google account) instead of the hardware device ID. But they still have not confirmed to me how they will challenge a user to prove their identity before re-activating a previously activated prepaid card.

Please note that this issue ONLY affects people's pre-paid accounts, not Citi MasterCard or any other type of account in Google Wallet.

EDIT 2: CLARIFICATION ON WHO IS AT RISK

We have just added a new post that details why users who have not already rooted their phones are still at risk from these Google Wallet issues. We believe there was a lot of confusion about what it means to be rooted as compared to just attaining root privileges.

The issues we bring up, surrounding privilege escalation vulnerabilities, have grave consequences for android (and all mobile device) security, not just Google Wallet.

Hopefully our discussion of these issues will make developers more aware of them before they are written into new apps.

https://zvelo.com/blog/entry/google-...ce-requirement
Senior engineer and security researcher at zvelo, Inc.
The Following 6 Users Say Thank You to miasma For This Useful Post: [ Click to Expand ]
 
foxehkins
Old
#2  
foxehkins's Avatar
Senior Member
Thanks Meter 103
Posts: 432
Join Date: Apr 2010
Location: Las Vegas
You should probably mention that Google is releasing a fix so that you don't cause unnecessary fear in the community.
 
miasma
Old
#3  
miasma's Avatar
Member - OP
Thanks Meter 32
Posts: 80
Join Date: Sep 2009
Google has a fix, but it is up to the banks to decide if it will be released. We are hoping the publicity will cause the banks to make the right decision.

Right now, there is a possibility that the fix will never be released.

Please see the blog article for tips on how you can lower your exposure profile.
Senior engineer and security researcher at zvelo, Inc.
The Following User Says Thank You to miasma For This Useful Post: [ Click to Expand ]
 
dmmarck
Old
#4  
Senior Member
Thanks Meter 77
Posts: 467
Join Date: Apr 2011
Quote:
Originally Posted by miasma View Post
Google has a fix, but it is up to the banks to decide if it will be released. We are hoping the publicity will cause the banks to make the right decision.

Right now, there is a possibility that the fix will never be released.

Please see the blog article for tips on how you can lower your exposure profile.
Can you please clarify: why is it up to the banks? Is this not Google's application?

Regardless, I can't see why banks would not want to fix this. And really, it's just Citi/Mastercard, right?
LG Nexus 5 - 16GB/Black - Unlocked, Rooted, TWRP, franco.Kernel
ASUS Nexus 7 (2013) - 16GB - Unlocked
 
miasma
Old
#5  
miasma's Avatar
Member - OP
Thanks Meter 32
Posts: 80
Join Date: Sep 2009
Google believes that the change required may constitute a "change of agency" regarding who does the PIN verification (if it is done inside the secure element). If the banks then become responsible for the PIN verification, the PIN becomes subject to the same regulations and procedures as an ATM PIN. The banks may choose to accept the risk as is rather than take on the increased cost and overhead associated with the change. Please spread the word so that we might be able to leverage them to make the correct decision.
Senior engineer and security researcher at zvelo, Inc.
The Following User Says Thank You to miasma For This Useful Post: [ Click to Expand ]
 
dmmarck
Old
#6  
Senior Member
Thanks Meter 77
Posts: 467
Join Date: Apr 2011
Quote:
Originally Posted by miasma View Post
Google believes that the change required may constitute a "change of agency" regarding who does the PIN verification (if it is done inside the secure element). If the banks then become responsible for the PIN verification, the PIN becomes subject to the same regulations and procedures as an ATM PIN. The banks may choose to accept the risk as is rather than take on the increased cost and overhead associated with the change. Please spread the word so that we might be able to leverage them to make the correct decision.
Legally speaking, that makes perfect sense.

Thanks for the clarification, and I will spread it.
LG Nexus 5 - 16GB/Black - Unlocked, Rooted, TWRP, franco.Kernel
ASUS Nexus 7 (2013) - 16GB - Unlocked
 
McDeadagain
Old
#7  
McDeadagain's Avatar
Member
Thanks Meter 27
Posts: 88
Join Date: Dec 2011
Location: Atlanta
Thank you to the OP.

I found your article, thorough, well written, and serious without being alarmist.

I'll follow the limited steps I can take right now.

Just thinking of my phone in terms of my wallet - if I do lose it and want to prevent someone accessing anything on my phone, is there something I can do? Does Google offer a remote wipe?

I guess I can look this up on my own was just wondering how people handle it. I figure even with the pin vulnerability, the phone is still more secure than the credit cards in my wallet. I've had the numbers on those stolen without them ever leaving my possession. In fact they got my pin too - must've had a spotter at an atm or used one of the swipe readers.
The Following User Says Thank You to McDeadagain For This Useful Post: [ Click to Expand ]
 
miasma
Old
#8  
miasma's Avatar
Member - OP
Thanks Meter 32
Posts: 80
Join Date: Sep 2009
If you use google apps, there is a native remote wipe feature with that. Otherwise, apps like lookout are good options.
Senior engineer and security researcher at zvelo, Inc.
The Following User Says Thank You to miasma For This Useful Post: [ Click to Expand ]
 
McDeadagain
Old
#9  
McDeadagain's Avatar
Member
Thanks Meter 27
Posts: 88
Join Date: Dec 2011
Location: Atlanta
Quote:
Originally Posted by miasma View Post
If you use google apps, there is a native remote wipe feature with that. Otherwise, apps like lookout are good options.
Thanks - I'll look into the native app, I didn't know Google offered something.
 
lukegb
Old
#10  
lukegb's Avatar
Senior Member
Thanks Meter 211
Posts: 106
Join Date: Jul 2010
Location: Portsmouth

 
DONATE TO ME
Quick response to your bit about the CPLC:

The CPLC is checked by the Wallet start-up system and is retrieved from the SE and compared to the value stored in the Wallet database. If, at launch, this value doesn't match up, then an exception is thrown.

It doesn't appear to be parsed anywhere within Wallet itself, so the actual SE applet would need analysis.
Awesome, I can edit my signature now. What should I put in it?
Galaxy Nexus, running whatever ROM I feel like. Currently stock. Or I was when I wrote this.

The Following 2 Users Say Thank You to lukegb For This Useful Post: [ Click to Expand ]
Tags
google, pin, security, vulnerability, wallet
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes