News of two security flaws in Google (Nasdaq: GOOG) Wallet, which lets smartphone owners pay for purchases through the devices, has caused some concern about the nascent mobile payment product.
One works on rooted devices; the other works on any smartphone with the Google Wallet capability. All it needs is for someone to get hold of the victim’s smartphone for a couple of minutes.
Security experts are divided over the extent of the threat these attacks pose to Androidsmartphone users.
“It appears that mobile wallets will grow fast as a payment platform,” Andrey Tikhonov, chief technology officer at MobilePayUSA, told TechNewsWorld. Google Wallet “will be a primary target for attacks” because of the platform’s rapid growth.
However, the number of Google Wallet users is low, Steve Kirsch, CEO and founder of OneID, pointed out. “You’re much more likely to have your wallet with your credit cards stolen,” he told TechNewsWorld. The security flaws are “more of a PR embarrassment.”
Google did not respond to requests for comment for this story.
The Rooted G-Wallet Flaw
The flaw which exploits rooted smartphones was discovered this week by Joshua Rubin of Zvelo.
Essentially, he found that it was easy to crack the PIN number using abrute-force attack. This consists of systematically checking all possible combinations of the digits in the PIN.
PINs have only four digits, so that would require calculating a maximum of 10,000 SHA256 hashes, which Rubin characterized as a trivial problem. SHA256 is a version of the Secure Hash Algorithm that uses 256-bit words to encrypt data.
Google Wallet only allows five invalid PIN entry attempts, but the brute force attack discovered the PIN without chalking up even one invalid attempt, thus completely negating security.
This attack “is as easy as getting a user to download a game or porn [on their device],” independent security consultant Randy Abrams told TechNewsWorld.
Rubin has reported the issue to Google, which confirmed it and is working on a solution. However, the fix, which may involve moving the PIN off a smartphone and storing it on the device’s NFC chip, could result in a shifting of responsibilities. Instead of Google being responsible for keeping the PIN safe, banks would then be put in that position. Zvelo contends this would expose users to undue risk.
Banks “will never accept responsibility for security unless required to by law,” Abrams commented.
The Evil That Rooting Does
Technically adept device owners sometimes root their smartphones because this lets them change or replace system applications and settings and run specialized apps that require administrator-level permissions, among other things.
“The chances of attacking a rooted device are reasonably high, especially in the Android community, which attracts open-minded, technology-savvy users,” MobilePayUSA’s Tikhonov opined.
The danger of rooting is that it “creates security holes that aren’t necessarily being tracked by security vendors because they’re tracking to the standard configuration,” Michael Morgan, a senior analyst at ABI Research, told TechNewsWorld.
Never Trust A Stranger
The other security vulnerability, which is much easier to exploit, was discovered at least as early as last December, when it was described in the XDA Developers’ Forum by someone with the handle “Evangelion01.”
It’s not clear why this information wasn’t well-publicized earlier, but apparently the same info was again posted Thursday by Smartphone Champ.
For this method, all that’s needed is for a thief to go into a smartphone’s application settings folder and clear the data for Google Wallet. That lets the thief set up his/or her own PIN number and gain access to the victim’s prepaid card in Google Wallet.
This works on devices whose screens aren’t locked down with a passcode, Evangelion01 said.
However, “users would discover their phone is missing sooner than a hacker would be able to access security-sensitive data,” Tikhonov suggested.
Security Options for G-Wallet
It’s possible to design e-wallets securely so that the PIN code can’t be cracked, OneID’s Kirsch contended.
Smartphone manufacturers can lock the devices and prevent rooting, MobilePayUSA’s Tikhonov suggested. However “this measure may turn some users away from Android devices.”
For the second type of attack, which doesn’t require a rooted device, “using dual factor authentication when the device was reset back to factory default settings” might be a solution, Tikhonov said.
Google should let users lock out individual apps with a code or facial recognition to prevent the second type of attack, Evangelion01 suggested.
Companies offering mobile wallet capabilities should look at incorporating various security standards devised by the American National Standards Institute (ANSI) as well as “secure coding practices reinforced by very strong code review policies,” Tikhonov suggested.