PSA: Google Wallet vulnerable to 'brute-force' PIN attacks (update: affects rooted devices)

Security hounds over at zvelo have discovered a vulnerability in Google Wallet that means your precious PIN can be "easily revealed." Digging through the app's code and using Google's open resources to reveal its contents, they uncovered a piratical treasure trove of data: unique user IDs, Google account information, and the PIN stored as a SHA256 hex-encoded string. Since this string is known to carry four digits, it only takes a "trivial" brute-force attack involving a maximum of 10,000 calculations to decode it. To prove their point, the researchers made a Wallet Cracker app -- demoed after the break -- that does the job quicker than you can say "unexpected overdraft."

Google has been receptive to these findings, but its attempts at a fix have so far been hampered by the need to coordinate with the banks, since changing the way the PIN is stored could also change which agency is responsible for its security. In the meantime, zvelo advises that there are some measures users can take themselves, aside from putting a protective hand over their pockets: refrain from rooting your phone, enable your lock screen, disable USB debugging, enable Full Disk Encryption and keep your handset up-to-date.

Update: Google has responded by emphasizing that it's only users of rooted devices who are at risk. In astatement to TNW it said: "We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone."

Comments

Google and Stanford early adopters of Honda Fit EV

Honda's first all-electric vehicle is hitting the streets a little early. The Honda Fit EV debuted at the Los Angeles Auto Show in November 2011, and it's expected to be available for lease this summer. However, Honda announced that Google and Stanford University got a special early delivery of the tiny EV this week.The Honda Fit EV is equipped with a 20kWh lithium ion battery, and has an EPA estimated driving range of 76 miles. Google added the EV to its car -sharing service for employees, dubbed the G-Fleet, in Mountain View, Calif. The search giant maintains several electric and plug-in vehicles that it uses for research and to cart Googlers around town and between buildings on campus. Stanford University also is an early adopter of the Fit EV, but will be using it primarily for research. The university's automotive research department will study the difference in psychological and physical reactions of using battery...

Hand-manipulated objects and transparent displays - the computer desktop of tomorrow

A see-through screen, digital 3D objects manipulated by hand, perspective adjustments according to the user's viewing angle - these are the core features of a prototype computer desktop user interface created by Microsoft's Applied Sciences Group. The prototype uses a "unique" Samsung transparent OLED display through which the user can see their own hands to manipulate 3D objects which appear to be behind the screen. A demo video appears to show a working prototype of a computer markedly different from those we use today. Yes it includes a familiar keyboard and trackpad - but these are placed behind the OLED display. The user simply lifts their hands from these input devices to manipulate on-screen (or more accurately behind -screen) objects, such as selecting a file or window. The video shows the interface in action with a series of program windows stacked behind one another, with the user selecting the desired program by hand, using the depth of the w...

Bioengineers develop smart, self-healing hydrogel

Velcro is pretty handy stuff, but imagine if there was a soft, stretchy material with the same qualities. Well, now there is. Scientists from the University of California, San Diego have created a self-healing hydrogel that binds together in seconds, essentially copying the Velcro process at a molecular level. The new material could potentially find use in medical sutures, targeted drug delivery, industrial sealants and self-healing plastics. The secret to the jello-like polymer hydrogel is its "dangling side chain" molecules, that reach out toward one another like long, spindly fingers. When developing the gel, a team led by bioengineer Shyni Varghese ran computer simulations, in order to determine the optimal length for these molecules. The resulting substance is capable of healing cuts made to itself - or of bonding with another piece of hydrogel - almost instantly. The behavior of the material can be controlled by adjusting the pH of its environment. In lab t...

Daily Tech News

Search This Blog