Zvelo unveils Google Wallet PIN brute force hack

A bunch of researchers at security firm zvelo have figured out a way to crack the Google Wallet PIN. The company discussed the vulnerability, which requires the device to be rooted, on their blog Wednesday.

Google Wallet allows consumers to use their phone to make payments, at retailers that support it, by leveraging near field communication (NFC) technology built into a few Android phones. This allows the phone to be used like a credit card on contact-less readers. When payments are initiated, the phone will prompt the user to enter their PIN number to confirm the transaction.

Zvelo discovered a vulnerability in the Google Wallet system that allowed them to brute force the PIN on a phone. If you happen to be using Google Wallet, this isn’t necessarily cause to freak out. There are a few catches that allowed zvelo to perform this attack.

First, the phone needs to be rooted, which removes certain protections from the device. The second catch here is that the person initiating the brute force attack needs to have physical access to the phone and has to install password cracking software. If you haven’t rooted your phone, or you use a screen lock password that would prevent someone from installing software on your phone, your risk is low.

Google issued a statement in response to zvelo’s description of the vulnerability which said,

“The zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device. To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN.”

Zvelo also adds that in addition to not rooting and using a lock screen, users should disable USB debugging on their device and enable full disk encrpytion. Those steps might be a little bit extreme, but if you use Google Wallet and are feeling particularly paranoid, I suppose they couldn’t hurt. Google is working on a fix for the vulnerability but they haven’t detailed exactly when it will be available.

Do any of you use Google Wallet? There are such a limited number of phones that currently support the technology, and very few users who leverage it, I can’t imagine this bug being a hot button issue.