A security company announced yesterday that it has discovered a “significant vulnerability in the Google Wallet mobile phone payment system.” The company found that a Wallet PIN is susceptible to a brute force attack – trying all possible key combinations until the PIN is discovered – that can make it possible for thieves to make purchases with a Google Wallet-enabled phone.
But Zvelo, the security company in question, buried the lede; a phone must be rooted ahead of time in order for its hack to work. An attack will not work on a non-rooted device, and rooting the phone post-theft would wipe away the PIN information and be of no use. Google made that important distinction in a statement to The Next Web.
The zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device. To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN.
We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone.
Zvelo did note in the bottom of its announcement post that root is required for the hack to work. However, the company claims that because Nexus devices are more likely to be rooted, that doesn’t diminish the danger of the way that Google Wallet data is stored on a device. The only solution is to move PIN information into the Secure Element, an area in which all data is encrypted. Google is already working on this adjustment.
So the simple solution here is to not root your phone if you want to use Google Wallet. And if you are rooted, you already know that doing so exposes you to a lot more security risks than the average customer. That naturally means the onus is on you to keep your information secure. Employ a pin code lock screen on your phone and don’t lose your phone.
It’s still safer than losing your actual wallet and credit cards that thieves can use for a shopping spree before you realize its gone.