Skip to main content

PSA: Google Wallet vulnerable to 'brute-force' PIN attacks (update: affects rooted devices)



Security hounds over at zvelo have discovered a vulnerability in Google Wallet that means your precious PIN can be "easily revealed." Digging through the app's code and using Google's open resources to reveal its contents, they uncovered a piratical treasure trove of data: unique user IDs, Google account information, and the PIN stored as a SHA256 hex-encoded string. Since this string is known to carry four digits, it only takes a "trivial" brute-force attack involving a maximum of 10,000 calculations to decode it. To prove their point, the researchers made a Wallet Cracker app -- demoed after the break -- that does the job quicker than you can say "unexpected overdraft."

Google has been receptive to these findings, but its attempts at a fix have so far been hampered by the need to coordinate with the banks, since changing the way the PIN is stored could also change which agency is responsible for its security. In the meantime, zvelo advises that there are some measures users can take themselves, aside from putting a protective hand over their pockets: refrain from rooting your phone, enable your lock screen, disable USB debugging, enable Full Disk Encryption and keep your handset up-to-date.

Update: Google has responded by emphasizing that it's only users of rooted devices who are at risk. In astatement to TNW it said: "We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone."

Comments

Popular posts from this blog

Nine government sites hit by cyber attacks: NIC

The National Informatics Center (NIC) has revealed that as many as nine government websites were defaced by recent cyber attacks. The center further said that the servers, which hosts these government sites, suffer a number of hacking attempts on a daily basis. The websites www.kumbh2010haridwar.gov.in, www.ueppcb.uk.gov.in, www.gov.ua.nic.in/ujn, www.cdodoon.gov.in, www.arunachal.nic.in,www.bee-india.nic.in, www.civilsupplieskerala.gov.in, www.mpcb.gov.in and www.informatics.nic.in were  defaced , prompting authorities to  ramp up  the cyber security safeguards. In an RTI reply, the NIC, which reports to the Ministry of Communications and Information Technology, said that it was impossible for the body to accurately quantify these attacks but they are usually blocked by security controls put in place. The Ministry was asked to provide details of hacking attempts made on the governments websites in the last ten years (2001-11) along with url names of the portal...

Solar car hits U.S. in round-the-world jaunt

Last October, the SolarWorld GT solar-powered car set out from Darwin, Australia on a drive around the world. It has since driven 3,001 kilometers (1,865 miles) across Australia, logged 1,947 km (1,210 miles) crossing New Zealand and been shipped across the Pacific Ocean. This Friday, it will embark on the U.S. leg of its journey, as it sets out across America from the University of California, Santa Barbara.   The SolarWorld GT is the result of a collaboration between solar panel manufacturer SolarWorld, and Bochum University of Applied Sciences in Germany. The four-wheeled, two-door, two-seat car gathers solar energy through photovoltaic panels built into its roof, with its solar generator offering a peak performance of 823 watts. Custom hub motors are located in both of the front wheels. The vehicle manages an average speed of 50 km/h (31 mph), with a claimed top speed of 100 km/h (62 mph). In order to demonstrate that solar powered cars needn't be a radical...

Google and Stanford early adopters of Honda Fit EV

Honda's first all-electric vehicle is hitting the streets a little early. The  Honda Fit EV  debuted at the Los Angeles Auto Show in November 2011, and it's expected to be     available for lease this summer. However,  Honda announced  that Google and Stanford University got a special early delivery of the tiny EV this week.The Honda Fit EV is equipped with a 20kWh lithium ion battery, and has an EPA estimated driving range of 76 miles. Google added the EV to its  car -sharing service for employees, dubbed the G-Fleet, in    Mountain View, Calif. The search giant maintains several electric and plug-in vehicles that it uses for research and to cart Googlers around town and between buildings on campus. Stanford University also is an early adopter of the Fit EV, but will be using it primarily for research. The university's automotive research department will study the difference in psychological and physical reactions of using battery...