Skip to main content

PSA: Google Wallet vulnerable to 'brute-force' PIN attacks (update: affects rooted devices)



Security hounds over at zvelo have discovered a vulnerability in Google Wallet that means your precious PIN can be "easily revealed." Digging through the app's code and using Google's open resources to reveal its contents, they uncovered a piratical treasure trove of data: unique user IDs, Google account information, and the PIN stored as a SHA256 hex-encoded string. Since this string is known to carry four digits, it only takes a "trivial" brute-force attack involving a maximum of 10,000 calculations to decode it. To prove their point, the researchers made a Wallet Cracker app -- demoed after the break -- that does the job quicker than you can say "unexpected overdraft."

Google has been receptive to these findings, but its attempts at a fix have so far been hampered by the need to coordinate with the banks, since changing the way the PIN is stored could also change which agency is responsible for its security. In the meantime, zvelo advises that there are some measures users can take themselves, aside from putting a protective hand over their pockets: refrain from rooting your phone, enable your lock screen, disable USB debugging, enable Full Disk Encryption and keep your handset up-to-date.

Update: Google has responded by emphasizing that it's only users of rooted devices who are at risk. In astatement to TNW it said: "We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone."

Comments

Popular posts from this blog

Solar car hits U.S. in round-the-world jaunt

Last October, the SolarWorld GT solar-powered car set out from Darwin, Australia on a drive around the world. It has since driven 3,001 kilometers (1,865 miles) across Australia, logged 1,947 km (1,210 miles) crossing New Zealand and been shipped across the Pacific Ocean. This Friday, it will embark on the U.S. leg of its journey, as it sets out across America from the University of California, Santa Barbara.   The SolarWorld GT is the result of a collaboration between solar panel manufacturer SolarWorld, and Bochum University of Applied Sciences in Germany. The four-wheeled, two-door, two-seat car gathers solar energy through photovoltaic panels built into its roof, with its solar generator offering a peak performance of 823 watts. Custom hub motors are located in both of the front wheels. The vehicle manages an average speed of 50 km/h (31 mph), with a claimed top speed of 100 km/h (62 mph). In order to demonstrate that solar powered cars needn't be a radical...

Biocomputer, Alternative To Quantum Computers

A team of international scientists from Canada, the U.K., Germany, the Netherlands and Sweden announced Friday that they had developed a model biological supercomputer capable of solving complex mathematical problems using far less energy than standard electronic supercomputers. The model “biocomputer,” which is roughly the size of a book, is powered by Adenosine triphosphate (ATP) — dubbed the “molecular unit of currency.” According to description of the device, published in the  Proceedings of the National Academy of Sciences , the biocomputer uses proteins present in all living cells to function. It uses a strategy similar to that of quantum computers, which use qubits — the quantum computing equivalents of bits — to perform “parallel computation,” wherein  computers are able to process information quickly and accurately by performing several calculations simultaneously, rather than sequentially. In the case of the biocomputer, the qubits are replaced with ...

Qualcomm showcases the Snapdragon S4 ahead of Mobile World Congress

We’ve already heard about Qualcomm’s latest processor, the Snapdragon S4 , which will be quad-core and utilize LTE. Qualcomm took the time to give us some details ahead of Mobile World Congress. The new SoC now supports up to three cameras (two in the back for 3D and one front-facing), 20-megapixels, and recording video at 1080p (30fps). We can also expect zero shutter lag, 3A processing (autofocus, auto exposure and auto white balance), and improved blink/smile detection, gaze estimation, range finding and image stabilization. Last but not least, it supports gesture detection/control, augmented reality , and computer vision (via Qualcomm’s FastCV). Hit the break for a couple of videos featuring image stabilization and gestures.