I caught a subtle whiff of this possibility in a weekend post on the Google Commerce Blog by Osama Bedier, Vice President, Google Wallet and Payments. This post stated that "in most cases, rooting your phone will cause your Google Wallet data to be automatically wiped from the device." That's a slight step back from Google's earlier contention that there is no way to root a Wallet-compatible phone without wiping the data.
Escalation of Privilege
Rubin's latest post includes full details but remains understandable for any interested user. To start, he points out that there are different ways to attain root privilege on a smartphone. The most common technique involves unlocking the bootloader, but on the Nexus line of phones, unlocking the bootloader automatically wipes all data.However, Rubin's Google Wallet Cracker doesn't require literally unlocking the bootloader. All it needs to do is break down the sandbox walls that keep one application from accessing another's data by elevating the current user's privilege level.
Rubin's post links to specific vulnerabilities that are present in the current operating system used by Nexus phones, along with a proof-of-concept hack based on one such vulnerability. He tested the exploit code and verified that it gave the current user root privilege without wiping the Google Wallet PIN or any other data. And, as he points out, it's quite likely that even after this vulnerability gets patched, others will surface.
What Does It Mean?
In response to the initial warning, Google (and Rubin) advised users to never, ever run Google Wallet on a rooted phone. This new evidence shows that even if you don't root your phone, a thief could root it ex post facto and steal your funds.
Google and Rubin also both advised users to employ a screen lock of some kind. A simple PIN may not be sufficient. At last summer's Black Hat conference, security expert Dino Dai Zovi offered a list of estimated times to guess different levels of PIN codes. The time to crack a 4-digit numeric pin? Eighteen minutes. Fortunately, as Rubin pointed out, after each handful of bad guesses Android inserts a delay before allowing any more.
There are other ways to gain access to a phone even when a screen lock is active. Rubin explained to me exactly how USB Debugging could be used to get shell access to the device. I'm not going print the details here—no need to make it easy for the bad guys—but trust me; you must turn off USB Debugging.
It's also true that if you inadvertently install a malicious app that includes a privilege escalation exploit, your PIN may have been cracked already. Fortunately that PIN does absolutely no good unless the malware coder somehow connects with the thief who has physical possession of the phone.
Musing on what it would take to gain access through varying levels of security, Rubin concluded that a full password lock and full encryption should be sufficient to keep out the toughest hacker.
Convenience Lost
Google touts Google Wallet as much more convenient than conventional credit cards. Just wave your phone near the PayPass reader and presto! You've paid the bill. Unfortunately, protection powerful enough to block any possibility of PIN cracking cuts down the convenience factor.Rubin concludes that power users will continue to root their devices and software vulnerabilities aren't going away. Kernel based privilege isolation isn't secure enough to protect "extremely sensitive data like that contained in Google Wallet." Probably Google's best way out of this dilemma will involve navigating some thorny legal issues that currently prevent them from storing the PIN inside the inaccessible Secure Element that holds data like the full credit card number. Let's hope they succeed.