I am finally able to disclose a major vulnerability I found in Google Wallet.
The vulnerability is that the Google Wallet PIN can be exposed without a single invalid attempt. This renders all the security of the secure element void.
Please see below for our press release, detailed blog posting, demonstration app and source code.
Feel free to ask me any questions or report any issues.
The app is also able to give you some useful information about the state of your secure element. This may be helpful for people with SE issues.
Here is a video demonstration of the vulnerability:
We reported this issue to Google on December 21.
Google has a fix, but it is up to the banks to decide if it will be released. We are hoping the publicity will cause the banks to make the right decision.
Right now, there is a possibility that the fix will never be released.
Google believes that the change required may constitute a "change of agency" regarding who does the PIN verification (if it is done inside the secure element). If the banks then become responsible for the PIN verification, the PIN becomes subject to the same regulations and procedures as an ATM PIN. The banks may choose to accept the risk as is rather than take on the increased cost and overhead associated with the change. Please spread the word so that we might be able to leverage them to make the correct decision.
What can you do to lower your risk profile?
Reset Google Wallet from within the wallet app itself, then uninstall it (this wipes everything from the device)
-- OR -- (any one of these will help, but #1 is the most important)
1. Add a screen lock (not the slide lock)
2. Disable USB debugging
3. Enable full disk encryption
4. Unroot if rooted
5. Use only the stock ROM and ensure it is up to date
6. Install an app that gives you the ability to "remotely wipe" the device if it is lost (lookout is one example)
EDIT: DETAILS OF SECOND VULNERABILITY
Regarding the second vulnerability announced today. This is the issue where, by uninstalling or resetting the Wallet App, and then re-configuring it for the same user, they are given the chance to enter a new PIN and will gain access to the previous user's prepaid card.
We had planned on not disclosing this vulnerability until later, but since it is already public, I can report that we were aware of it as well.
We reported it to Google on January 4th and they are presently working on a fix for it.
The fix involves, partially, linking the prepaid account to the users GAIA (Google account) instead of the hardware device ID. But they still have not confirmed to me how they will challenge a user to prove their identity before re-activating a previously activated prepaid card.
Please note that this issue ONLY affects people's pre-paid accounts, not Citi MasterCard or any other type of account in Google Wallet.
EDIT 2: CLARIFICATION ON WHO IS AT RISK
We have just added a new post that details why users who have not already rooted their phones are still at risk from these Google Wallet issues. We believe there was a lot of confusion about what it means to be rooted as compared to just attaining root privileges.
The issues we bring up, surrounding privilege escalation vulnerabilities, have grave consequences for android (and all mobile device) security, not just Google Wallet.
Hopefully our discussion of these issues will make developers more aware of them before they are written into new apps.
Google has a fix, but it is up to the banks to decide if it will be released. We are hoping the publicity will cause the banks to make the right decision.
Right now, there is a possibility that the fix will never be released.
Please see the blog article for tips on how you can lower your exposure profile.
Senior engineer and security researcher at zvelo, Inc.
Google has a fix, but it is up to the banks to decide if it will be released. We are hoping the publicity will cause the banks to make the right decision.
Right now, there is a possibility that the fix will never be released.
Please see the blog article for tips on how you can lower your exposure profile.
Can you please clarify: why is it up to the banks? Is this not Google's application?
Regardless, I can't see why banks would not want to fix this. And really, it's just Citi/Mastercard, right?
Google believes that the change required may constitute a "change of agency" regarding who does the PIN verification (if it is done inside the secure element). If the banks then become responsible for the PIN verification, the PIN becomes subject to the same regulations and procedures as an ATM PIN. The banks may choose to accept the risk as is rather than take on the increased cost and overhead associated with the change. Please spread the word so that we might be able to leverage them to make the correct decision.
Senior engineer and security researcher at zvelo, Inc.
Google believes that the change required may constitute a "change of agency" regarding who does the PIN verification (if it is done inside the secure element). If the banks then become responsible for the PIN verification, the PIN becomes subject to the same regulations and procedures as an ATM PIN. The banks may choose to accept the risk as is rather than take on the increased cost and overhead associated with the change. Please spread the word so that we might be able to leverage them to make the correct decision.
Legally speaking, that makes perfect sense.
Thanks for the clarification, and I will spread it.
I found your article, thorough, well written, and serious without being alarmist.
I'll follow the limited steps I can take right now.
Just thinking of my phone in terms of my wallet - if I do lose it and want to prevent someone accessing anything on my phone, is there something I can do? Does Google offer a remote wipe?
I guess I can look this up on my own was just wondering how people handle it. I figure even with the pin vulnerability, the phone is still more secure than the credit cards in my wallet. I've had the numbers on those stolen without them ever leaving my possession. In fact they got my pin too - must've had a spotter at an atm or used one of the swipe readers.
The CPLC is checked by the Wallet start-up system and is retrieved from the SE and compared to the value stored in the Wallet database. If, at launch, this value doesn't match up, then an exception is thrown.
It doesn't appear to be parsed anywhere within Wallet itself, so the actual SE applet would need analysis.
Awesome, I can edit my signature now. What should I put in it?
Galaxy Nexus, running whatever ROM I feel like. Currently stock. Or I was when I wrote this.
Not too long ago, we talked about how Sony was continuing its AOSP efforts on … more
XDA Developers was founded by developers, for developers. It is now a valuable resource for people who want to make the most of their mobile devices, from customizing the look and feel to adding new functionality. Are you a developer?
Introducing XDA:DevCon – A Conference For Developers By Developers
>
Google Wallet PIN Vulnerability
Print
Email
Google Wallet PIN Vulnerability
View Profile
View Forum Posts
Follow on Twitter
Follow on Google+
Visit Homepage
Linear Mode
