Security Flaw Found in Google Wallet (video)
As many of us are aware, NFC payments are going to become more and more commonplace in the every day marketplace. Along with that growth of course will come growing pains. Zvelo.com is reporting that a security flaw has been found in Google Wallet that enables the pin you use to lock Google Wallet to be discovered by a 3rd party app.
“viaForensics recently came out with a report about the security of Google Wallet. In it, they concluded that due to the unencrypted personal information and payment history, users might be subject to social engineering attacks.
We were intrigued by the findings from viaForensics and decided to do a bit of digging of our own. We were quickly able to independently confirm the findings of viaForensics. As we investigated the data stored in the per-app (sqlite3) database used by Google Wallet, we became intrigued by the contents of the “metadata” table that contained only 3 rows but a large “blob” of binary data in each. The name alone, “metadata,” just seemed like a poor attempt at “security by obscurity” which as we already know, “is no security at all.”
One row in this table has id ‘gmad_bytes_are_fun’ and this appears to be a sort of encrypted file system used for storing data via the SE. The contents of the binary data in this row likely includes the complete credit card information and certainly needs further vetting, but it was not this row that interested us.
Another row had an id of ‘deviceInfo’ and appeared to have much more non-null data. However, this binary data had to be parsed somehow to uncover its contents. After some more digging, we realized that this data was compiled using Google’s own “Protocol Buffers.” This is an open library for serializing data for messages passing between systems. In order to use this data, we had to define a “message format” in a “.proto” file (Protocol Buffer Basics: Java). With our custom “.proto” file in hand, we were able to uncover the contents of the binary data and were shocked at what we found. Unique User IDs (UUID), Google (GAIA) account information, Cloud to Device Messaging (C2DM, also known as “push notification”) account information, Google Wallet Setup status, “TSA” (this is probably related to “Trusted Services” not the “Transportation Security Administration”) status, SE status and most notably “Card Production Lifecycle” (CPLC) data and PIN information.
The CPLC data is a vital part of the communication with the SE. However, it was yet another binary blob that would have to be deciphered, or perhaps it just acts like a “key” to unlock the SE and has no decipherable data within.
The lynch-pin, however, was that within the PIN information section was a long integer “salt” and a SHA256 hex encoded string “hash”. Knowing that the PIN can only be a 4-digit numeric value, it dawned on us that a brute-force attack would only require calculating, at most, 10,000 SHA256 hashes. This is trivial even on a platform as limited as a smartphone. Proving this hypothesis took little time.
Google Wallet allows only five invalid PIN entry attempts before locking the user out. With this attack, the PIN can be revealed without even a single invalid attempt. This completely negates all of the security of this mobile phone payment system.”
They state that Google has been made aware of the security vulnerability and they are working on a fix. We all knew it was a matter of time before a security vulnerability would show itself in cell phone NFC payments, hopefully the hole gets plugged quickly. In the meantime I still believe even with the security flaw, NFC payments via cell phone are still more secure than a credit card which requires no security flaw for an unauthorized person to use or read your credit card number off of.
Source: https://zvelo.com/blog/entry/google-wallet-security-pin-exposure-vulnerability
Also there is another much simpler way for a person to gain access to your Google Wallet if they have your phone. If you go into the application settings menu and clear data for Google Wallet, then the next time you open the app it will ask you to set a new pin. After setting the new pin it will then link itself back to your Google Wallet account. In other words, if a person steals your phone all they have to do is clear the data out for Google Wallet and then they are free to spend your money. Hopefully this flaw in the system gets fixes ASAP.
