Look out, it isn’t safe for Google Wallet just yet. The folks at website categorisation firm zvelo, which identified issues with the payment system last week, are back again to point out that Google is wrong to claim that the security issues only affect rooted devices.
According to the company’s latest findings, “while it is true that this PIN vulnerability requires root privileges to succeed, it does not require that the device be rooted previously”.
In other words and to be clear, it claims that an unrooted device can have its Google Wallet PIN security overridden simply by being rooted and installing a PIN cracker application.
The latest update to the Google’s newest version of its Android operating system, Ice Cream Sandwich, was tested and found to be vulnerable to this issue, as is explained:
We were able to test this code and achieve root permissions on our Galaxy Nexus running the latest stock ICL53F without losing any preexisting data on the device. This would enable a malicious app to access the Google Wallet PIN, and any other data on a vulnerable device without it being pre-rooted.
The post points out that the issue at play here — a dependence on users not having full access to their device — applies to both Android and iOS.
Indeed, it is suggested that “there are almost certainly other privilege escalation vulnerabilities within Android and iOS”, and the team suggests that we might find out about them sooner or later.
In order words, rooting your Android phone or jailbreaking your iPhone leaves the device open to a catalogue of potential issues if you lose it or it falls into the wrong hands.
To rewind quickly for those that have missed what happened last week, when two security flaws around Google Wallet were revealed.
As we initially reported, a team of developers at zvelo demonstrated how the PIN verification system could be overridden on rooted devices. Things then got worse when, as The Verge reported, it emerged that stolen phones could have pre-paid credit accessed by simply clering data and re-installing the app.
Following all the accusations, Google went public with a statement that claimed Google Wallet was safer than plastic cards. Included in the post was a warning that the issues were only a problem for rooted devices owners, a claim that was originally pointed out in a comment the company made last week:
To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN.
In response to claims that rooting will wipe the data on a device, Zvelo’s Joshua Rubin clarified that it is possible to gain access to Google Wallet data in tact.
@neiljrubenking not true. unlocking bootloader wipes data. but a priv escalation attack that achieves root can crack wallet with data intact
— Joshua Rubin (@JoshuaRubin) February 12, 2012
It appears now that this vulnerability has been unearthed, and possibly a whole lot more. These are big claims and, reading between the lines of zvelo’s claims, it is will take some serious action to address these issues.
Google has already suspended the issuing of new pre-paid cards for Google Wallet accounts following the emergence of the second issue, and we will wait to see how it will tackle the latest set of problems. We think there would be merit in hiring the guys at zvelo, or at least picking their brains for more thoughts.
Update: Here’s Google response, which rightly advocates setting up addition security measures and contacting the company in the event that a phone is lost:
The recent comments about rooting phones underscore our earlier recommendations that best security practices for uing Google Wallet are essential. We strongly advise all users to set up a phone screen lock as an additional layer of protection for Google Wallet. If you lose your phone or suspect an unauthorized transaction, please contact support to disable your cards
Google has since also restored access to prepaid cards, having said it fixed an issue allowing prepaid accounts to be re-provisioned to other users.