Google Wallet Pin Vulnerable To Brute Forcing

Martin Brinkmann
Feb 9, 2012
Updated • Apr 20, 2012

Google Wallet is the name of Google's recently launched cell phone-based credit card payment system. The system uses Near Field Communication (NFC) to exchange data between the cell phone (that is containing the user's financial information) and the store. The system has several advantages over physical credit cards, including a potential for greater security when implemented correctly. Security can however also be a weakness if vulnerabilities are discovered that allow attackers to gain access to the pin that is protecting Google Wallet.

Google Wallet as of now is only available in the United States, on two wireless providers - Sprint and AT&T, and only if the Samsung Nexus S 4G smartphone is used. Whenever Google Wallet users make purchases, they need to enter the pin to verify it. One of the weaknesses of the system is that Google decided to use a four digit pin limiting the possibilities to just 10,000. While that is convenient for the user, it is problematic from a security point of view.

Joshua Rubin over at Zvelo published an article yesterday that describes how his company analyzed the data Google Wallet saves to the phone to find out that the pin could be brute forced quite easily.

Researchers at Zvelo discovered that Google was saving the pin in encrpyted form on the smartphone. With the hash and salt discovered, they immediately started to program a brute forcing software to decrypt the information.

Google Wallet Hacker displays the Google Wallet pin in about a second after it is run. The program has to be run on the smartphone Google Wallet is used, which is currently the greatest restriction.

The vulnerability has been disclosed to Google before it was publicly disclosed. The system has not been updated yet though which poses a risk to Google Wallet users. Mitigating factors have been posted by Zvelo which may help Google Wallet users keep their pin secure from brute forcing attacks.

  • Do Not “Root” the Cell Phone – Doing so will be one less step for a thief.
  • Enable Lock Screens – “Face Unlock,” “Pattern,” “PIN” and “Password” all increase physical security to the device. “Slide,” however, does not.
  • Disable USB Debugging – When enabled, the data on mobile devices can be accessed without first passing a lock screen challenge unless Full Disk Encryption is also enabled.
  • Enable Full Disk Encryption – This will prevent even USB Debugging from bypassing the lock screen.
  • Maintain Device Up-To-Date – Ensure the device is current with the latest official software.

Should you be using Google Wallet right now? This is ultimately your decision, I for one would refrain from using it until the issue gets resolved.


Tutorials & Tips

Previous Post: «
Next Post: «


  1. ilev said on February 10, 2012 at 10:10 am

    A day after discovering Google’s wallet PIN vulnerability a second security flaw has been uncovered that affects all users.

  2. Morely the IT Guy said on February 9, 2012 at 6:36 pm

    *EVERY* PIN system is vulnerable to brute force.
    Anyone who says otherwise is either a fool, or selling snake oil.

    1. Martin Brinkmann said on February 9, 2012 at 7:02 pm

      Brute forcing won’t do you any good though if your phone locks you out after five invalid attempts.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.