Google Wallet PIN brute-forcing now without rooting
An attack on Google Wallet's PIN protection – which required that the phone be rooted so that the the PIN information could be accessed – can be achieved on an un-rooted Android smartphone by using a Linux privilege escalation vulnerability. This is according to Zvelo, who found the original problem with the storage of the PIN used to protect the NFC-enabled wallet embedded in the Google Nexus. Rooting, it had been pointed out, would usually mean that all the data on the device was deleted in the process and Google advised users not to use Wallet on rooted devices.
But by exploiting a known Linux privilege vulnerability which exists in Android 4.0 and has proof of concept code available, it is possible to get root access to the device without deleting any data. Zvelo says this is enough to get access to the Google Wallet PIN data which can be easily brute-forced as in their original attack. An attacker could also just obtain the data and send it to a remote server where the PIN could be brute-forced even faster.
Zvelo does not claim to have created code to perform this attack, but given that the information is already in the public domain, it would not be difficult to create. Although the Linux source code has been patched to fix the flaw, there is a reasonable expectation that privilege escalation flaws will be discovered in the future which could be exploited to the same ends.
While Google has yet to comment on that issue, it has announced that it has now restored the provisioning service for the pre-paid debit cards associated with Google Wallet NFC-enabled hardware. The company disabled the system after it was widely publicised that it was possible to get access to the credit on the prepaid card. An attacker could reset the Google Wallet application data and restart the application, at which point they could enter a new PIN and reconnect the virtual pre-paid card associated with the device, giving access to any available credit on the pre-paid card. According to The Verge, attempts to re-provision the card results in "Try Again" and "Remove Card" messages.
(djwm)