zvelo, a malware analytics group, has discovered that Google Wallet PIN numbers are vulnerable to brute force attacks. The vulnerability only exists if you’re using a phone that is rooted. An attacker could create an app that easily cracks your 4-digit Google Wallet pin number, allowing them to use your phone to make purchases. Josh Rubin, the software engineer who discovered the vulnerability, demonstrated it in the video below.
Mobile viewing link
Before you get all scared and start unrooting your phones to protect yourself, you must know that a number of events must take place for someone to successfully crack your Google Wallet pin number and use your phone to make purchases. For starters, you need to have a rooted phone. If your phone isn’t rooted, then you have nothing to worry about. On top of having a rooted phone, you will need to not have some sort of lock screen enabled (pin number or pattern). If someone gets hold of your phone and can’t unlock it, then not much can be done. Last but not least, you will need to not be in possession of your phone (lose it, leave it lying around). If all of the above things are true, an attacker can then take your rooted phone with Google Wallet, easily unlock the screen because you never secured it, and then install a Google Wallet PIN cracking app on your phone in order to make purchases using your phone.
I think that losing your wallet is a bigger threat. Either way, Google has been notified of the vulnerability and are working to resolve it. The resolution to the problem will likely involve having the PIN information controlled and maintained by the banks.
According to zvelo, Google Wallet users can mitigate the risk of the vulnerability by taking the following steps:
- Do Not “Root” the Cell Phone – Doing so will be one less step for a thief.
- Enable Lock Screens – “Face Unlock,” “Pattern,” “PIN” and “Password” all increase physical security to the device. “Slide,” however, does not.
- Disable USB Debugging – When enabled, the data on mobile devices can be accessed without first passing a lock screen challenge unless Full Disk Encryption is also enabled.
- Enable Full Disk Encryption – This will prevent even USB Debugging from bypassing the lock screen.
- Maintain Device Up-To-Date – Ensure the device is current with the latest official software. Unfortunately, users are largely at the behest of their carrier and cell phone manufacturer for this. Using only official software and keeping devices up-to-date is the best way to minimize vulnerabilities and increase security overall.
So, how do you guys feel about this Google Wallet PIN vulnerability? Will you be unrooting your phone anytime soon? I personally won’t be doing anything differently. My phone is rooted and I already have lock screen security enabled. Although my phone is always with me, in the event that I lose it and somehow my Google Wallet PIN gets cracked, the most that will be used is the few dollars I keep in my prepaid Google Wallet card.
Let us know what you think by leaving a comment below.