Google Wallet

Following the news yesterday that Google Wallet's PIN security has been cracked (for rooted users, on unsecured devices), Google has issued an official statement to clarify a few details, including who's vulnerable, and what users should do to protect themselves.  In a statement given to TheNextWeb, Google confirmed what our own Jerry Hildenbrand said in his write-up yesterday -- only rooted users are potentially vulnerable.

"The zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device. To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN.

We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone."

So again, only rooted users are at risk, and the recommendation to avoid Google Wallet use on a device with root is a sensible one. For the minority of Wallet users who are rooted, we're sure a fix will come in the days and weeks ahead. And if you're running a nice, clean stock device without any hackery of your own, you've got nothing to worry about.

Of course, news of this vulnerability will likely cause some damage to Google Wallet's reputation, at a time when Google's working hard to increase uptake of its payment method. If and when mainstream news outlets pick up this story, it'll be interesting to see whether they, like Zvelo's original press release, neglect to mention the crucial detail that a pre-rooted device is required.

Source: TheNextWeb

 

Reader comments

Google responds to Wallet hack, recommends not installing it on rooted devices

35 Comments

This doesn't really sound like great advice, couldn't someone that gains access to your device just root it themselves? If they are sophisticated enough to hack and brute force your phone certainly they'd be more than able to root your device themselves. Seems like the best thing to do is have a pin to access the phone.

Rooting the phone requires that you un-lock the boot loader. Android requires a compete factory reset to un-lock the boot loader..... All the research I've indicates that there is no other way around it.

Unless you buy a good phone like the Galaxy S, S2, Nexus or most other Samsung Android phones that do not have locked bootloaders out of the box.

No, they come with a locked bootloader, it's just REALLY easy to unlock. Like by booting into Fastboot:
adb reboot bootloader
And then:
fastboot oem unlock

That's how you unlock the bootloader for a Samsung Galaxy Nexus. So, it comes locked, it's just trivial to unlock. But still completely wipes the phone in the process.

EVERY phone has a locked bootloader. I have a Gnex, it's just incredibly easy to unlock without any sort of "hack" to find. Still, unlocking ANY bootloader completely wipes a phone and therefore Gwallet too.

Google's response is legitimate.

That is a nexus device, using a manufacturer unlock, do you know how many samsung and htc phones can be rooted by running a small script app made by a dev, my first samsung phone only required that I put a small file on the sdcard and reboot, all data stays intact, I rooted my t-bolt the old fashion way, but the new revolutionary root doesn't wipe data.

Also rooting a phone != unlocking the bootloader, you can root a phone and still have a locked bootloader, you just can't flash any roms other than stock in that case.

My Vibrant didn't have a locked bootloader. Before I knew about locked bootloaders, i had rooted and installed a ROM on it.

SIM LOCK PEOPLE BRUTE FORCING IT REQUIRES TOO MANY TRIES SIM LOCKS WILL FRY THE PHONE RATHER PAY 120 FOR AN INSSURANCE CLAIM THEN TO HAVE MY WHOLE PAY CHECK GONE BC I GET OAID ON A DEBIT CARD AND I WOULD BE SCREWED OH IM WORRY SOMEONE STOLE MY PHONE HACKED MY GOOGLE ACCOUNT AND TOOK ALL MY MONEY WHAT YOUR TAKING MY INSURRANCE AND MY TRUCK??? NOOOOOOOOOOOOOOOOOOOOOOOOOO

Another vulnerability of installing Google Wallet on rooted phones is that it permanently turns on capslock mode. Be warned.

Take personal responsibility for your actions.

If you make the decision to put financial data on your phone, then pretend that you're an adult and take basic steps to protect that information.
- turn on the lock screen
- turn off USB debugging
- use disk encryption

It's not that tough.

The only funds I have on wallet is the Google wallet $10 they have us. I won't put any personal account money on it.

Am I in risk?

Sounds like BS to me. What's to stop a bit of malware packaging the zergRush ( http://forum.xda-developers.com/showthread.php?t=1296916 ) or mempodroid ( https://github.com/saurik/mempodroid ) exploits to root the user's phone before they attempt to steal details from Google Wallet (cf. the DroidDream malware using the rageagainstthecage exploit to gain root before delivering its payload)?

OK, maybe Google's bouncer might find such malware if it was on the Google Market, but it wouldn't if it were to download it from a third party site.

That goes back to being responsible; if you're installing apps off a third-party site, who's choice is that exactly?

And if you're doing that, why aren't you running scanners to make sure the app is safe before you put it on your rooted phone with Google Wallet?

This whole thing is ridiculous anyway. Even if you have Google Wallet installed on a rooted phone, it is STILL safer than carrying a credit card in your wallet. Everyone is so dang reactionary when it comes to this crap. And besides, if you are rooted then you are probably savvy enough to install an app that will allow you to remotely wipe the phone. If people want to put their financial info on their phone then it is their responsibility to protect it. End of story.

As I said yesterday, use two step verification with your gmail account and if you ever loose your phone revoke your phones access. This takes all of 5 seconds.

And handing complete strangers a piece of plastic with all my reusable credit card information embossed on it in plain text (with a required display version of my signature) is MORE secure?!

The only time in recent years I've had an issue was after I went to a zoo and had to give someone my CC. While trying to keep my son from running around, they stole my number and used it.

What's to stop someone from stealing your phone from rooting it than grabbing the pin afterwards. Just a random thought, still there is no 100% safe anything in this world so I don't see this as a big deal. Since it is just as easy to loose wallet not like poeple check I'D anyways :-)

Add someone said earlier, to root a phone it requires a phone wipe, so there is no getting anything if you're not already rooted with the app in use.

That's funny because I rooted my EVO via unrevocked and didn't loose any data. I think it depends on the phone and the method.

Remote locate..lock WIPE!
and its free. stop being like that.
this is going to be the case with any mobile wallet. yet it is STILL more safe than a credit card.

Why would non-rooted make a difference? Couldnt someone who stole your phone just root it themselves and then hack the PIN anyway?

As others have pointed out, you have to unlock your bootloader before you can root your phone. Unlocking the bootloader wipes the information that was previously on your phone.

It depends on the handset as to whether rooting requires a wipe first, or unlocking the bootloader, especially if the malware doesn't plan on *keeping* root after it's stolen your details. Certainly I've been able to root my HTC Hero running 2.1 (Using Universal Androot), and my Samsung Galaxy S II running 2.3.5 (using zergRush) *without* having to wipe them, or replace the kernel with an insecure kernel. mempodroid will similarly root ICS for now, and I'm sure new kernel exploits will be found in future Android kernels.

It would still be simpler to just knock the guy out and take his actual wallet than trying to brute-force your way into Google Wallet.

However, that is pretty half-assed response on Google's part. "Just don't root your device" sounds almost as bad as Jerry's "just buy a Nexus" during the whole Carrier IQ fiasco.

Thank you internet for letting me know that if my phone gets hacked...I could lose personaly information.....-______________________-

OMFGGG NO S***!!!