Google Wallet isn't as secure as thought
So the most amazing feature of an NFC equipped Android phone running Ice Cream Sandwich has got to Be Google Wallet. The Google Wallet is currently only available in the US(officially) and is known to be pretty secure, at least that’s we all thought.
Now it turns out that Google Wallet isn’t as secure as previously thought. Since Google Wallet works on NFC, it’s important to understand how this happens. Zvelo, an internet security company has a rather lucid explanation right there for you.
NFC is based on Radio Frequency Identification (RFID) to communicate wirelessly. In order to facilitate secure communication, a device, similar to a Smart Card, called a Secure Element (SE), is used to store and encrypt, for broadcast, the most sensitive data such as the complete credit card number. Access to the SE is highly regulated and it is designed to resist tampering, possibly even engaging a self-destruct mechanism to protect its data. This is the core security layer of NFC payment systems.
In order to authenticate users and grant access to the SE, Google Wallet requires a 4-digit, numeric PIN when first launching the app. This is the additional security that traditional physical credit cards do not have and is what the NFC providers are proclaiming makes the security of their system so much better. If a thief steals a smartphone, and tries to reveal the credit card information, Google Wallet will lock up completely after a few failed PIN attempts.
So what’s the big deal.. why is it unsafe? Well, it turns out that if you have rooted your phone then it might be possible for someone to get a hold of that 4 digit code. This is because that secure code is stored on the device itself. Kind of a scary situation because a brute force attack even if done via PC or another smartphone could reveal the code. Now Google Wallet allows five attempts before it locks up the service on the phone, but with a brute force attack it could be revealed without making a single error.
The root cause of this is the manner in which files are encrypted and stored along with the way they are named. Zvelo found it to be almost too easy to get in.
The good news however is that this vulnerability is only for rooted phones and not unrooted smartphones. I guess it pays to not have that phone rooted after all.
If you area tech geek and want to know the dirty details you can visit Zvelo’s blog post, which details the dirty bits for you to see.
I hope Google will not be this careless with this service.