PSA: Google Wallet vulnerable to 'brute-force' PIN attacks (update: affects rooted devices)

Security hounds over at zvelo have discovered a vulnerability in Google Wallet that means your precious PIN can be "easily revealed." Digging through the app's code and using Google's open resources to reveal its contents, they uncovered a piratical treasure trove of data: unique user IDs, Google account information, and the PIN stored as a SHA256 hex-encoded string. Since this string is known to carry four digits, it only takes a "trivial" brute-force attack involving a maximum of 10,000 calculations to decode it. To prove their point, the researchers made a Wallet Cracker app -- demoed after the break -- that does the job quicker than you can say "unexpected overdraft."

Google has been receptive to these findings, but its attempts at a fix have so far been hampered by the need to coordinate with the banks, since changing the way the PIN is stored could also change which agency is responsible for its security. In the meantime, zvelo advises that there are some measures users can take themselves, aside from putting a protective hand over their pockets: refrain from rooting your phone, enable your lock screen, disable USB debugging, enable Full Disk Encryption and keep your handset up-to-date.

Update: Google has responded by emphasizing that it's only users of rooted devices who are at risk. In astatement to TNW it said: "We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone."

Comments

Silent headset lets users quietly commune with computers

Advances in voice recognition technology have seen it become a more viable form of computer interface, but it's not necessarily a quieter one. To prevent the click-clacking of keyboards being replaced by noisy man-machine conversations, MIT researchers are developing a new system called AlterEgo that allows people to talk to computers without speaking and listen to them without using their ears. At first glance, the AlterEgo headpiece looks like the product of a design student who didn't pay attention in class. Instead of the familiar combination of an earpiece and microphone, the device is a cumbersome white plastic curve like the jawbone of some strange animal that hangs off the wearer's ear and arcs over to touch the chin. It might look strange, but it's based on some fairly sophisticated technology. Inside the Alterego are electrodes that scan the jaw and face from neuromuscular signals produced when the wearer thinks about verbalizing words without...

Water purification: Running fuel cells on bacteria to purify water

Researchers in Norway have succeeded in getting bacteria to power a fuel cell. The "fuel" used is wastewater, and the products of the process are purified water droplets and electricity. This is an environmentally-friendly process for the purification of water derived from industrial processes and suchlike. It also generates small amounts of electricity -- in practice enough to drive a small fan, a sensor or a light-emitting diode. In the future, the researchers hope to scale up this energy generation to enable the same energy to be used to power the water purification process , which commonly consists of many stages, often involving mechanical and energy-demanding decontamination steps at its outset. Nature's own generator The biological fuel cell is powered by entirely natural processes -- with the help of living microorganisms. "In simple terms, this type of fuel cell works because the bacteria consume the waste materials found in the water," explains SINTEF...

Harry Potter and the Cursed Child

Small Intro About Harry Potter and the Cursed Child Based on an original new story by J.K. Rowling, Jack Thorne and John Tiffany, Harry Potter and the Cursed Child is a new play by Jack Thorne. It is the eighth story in the Harry Potter series and the first official Harry Potter story to be presented on stage. It was always difficult being Harry Potter and it isn’t much easier now that he is an overworked employee of the Ministry of Magic, a husband and father of three school-age children. While Harry grapples with the past that refuses to stay where it belongs, his youngest son Albus must struggle with the weight of a family legacy he never wanted. As past and present fuse ominously, both father and son learn the uncomfortable truth: sometimes, darkness comes from unexpected places. Harry Potter and the Cursed Child is one play presented in two Parts, which are intended to be seen in order on the same day (matinee and evening) or on two consecutive evenings. ...

Daily Tech News

Search This Blog