Skip to main content

PSA: Google Wallet vulnerable to 'brute-force' PIN attacks (update: affects rooted devices)



Security hounds over at zvelo have discovered a vulnerability in Google Wallet that means your precious PIN can be "easily revealed." Digging through the app's code and using Google's open resources to reveal its contents, they uncovered a piratical treasure trove of data: unique user IDs, Google account information, and the PIN stored as a SHA256 hex-encoded string. Since this string is known to carry four digits, it only takes a "trivial" brute-force attack involving a maximum of 10,000 calculations to decode it. To prove their point, the researchers made a Wallet Cracker app -- demoed after the break -- that does the job quicker than you can say "unexpected overdraft."

Google has been receptive to these findings, but its attempts at a fix have so far been hampered by the need to coordinate with the banks, since changing the way the PIN is stored could also change which agency is responsible for its security. In the meantime, zvelo advises that there are some measures users can take themselves, aside from putting a protective hand over their pockets: refrain from rooting your phone, enable your lock screen, disable USB debugging, enable Full Disk Encryption and keep your handset up-to-date.

Update: Google has responded by emphasizing that it's only users of rooted devices who are at risk. In astatement to TNW it said: "We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone."

Comments

Popular posts from this blog

New record energy efficiency for artificial photosynthesis

As the world moves towards developing new avenues of renewable energy, the efficiencies of producing fuels such as hydrogen must increase to the point that they rival or exceed those of conventional energy sources to make them a viable alternative. Now researchers at Monash University in Melbourne claim to have created a solar-powered device that produces hydrogen at a world-record 22 percent efficiency, which is a significant step towards making cheap, efficient hydrogen production a reality. Efficiency records for solar-powered hydrogen production have continued to rise over the years, and much more rapidly as the technology and techniques improve. Even as late as December last year  Gizmag reported  a solar-driven hydrogen record efficiency at the time of just 12.3 percent, so this new record shows a very healthy 10 percent improvement on that and beats out the previous record of 18 percent. Splitting water using electricity to produce hydrogen and oxygen has been a...

The Japanese skateboard

A Japanese engineer just invented a nifty new way to travel: A transporter called a “WalkCar” that’s small, light and apparently easy to use. The product is battery powered and is about the size of a laptop. And although it looks like it can hold much weight and is made from aluminum, it can apparently have as much as 265 lbs on board. VentureBeat  reported  that it can go up to 6.2 miles per hour for up to 7.4 miles. It needs three hours to charge.

Wind Turbines

The Bahrain World Trade Center is the first skyscraper to have wind turbines integrated into the structure of the building.Three large wind turbines are suspended between two office towers. The towers are aerodynamically tapered to funnel wind and draw air into the turbines. This airfoil tapering allows the wind to enter the turbines at a perpendicular angle and increases air speed as much as 30 percent in each of the 95 ft wide turbine rotors. The turbines supply about 15 percent of the electricity used by the skyscraper - approximately the same amount of electricity used by 300 homes. Source: www.norwin.dk