Latest in Brute force

Image credit:

PSA: Google Wallet vulnerable to 'brute-force' PIN attacks (update: affects rooted devices)

Sharif Sakr
February 9, 2012
Share
Tweet
Share

Sponsored Links

Security hounds over at zvelo have discovered a vulnerability in Google Wallet that means your precious PIN can be "easily revealed." Digging through the app's code and using Google's open resources to reveal its contents, they uncovered a piratical treasure trove of data: unique user IDs, Google account information, and the PIN stored as a SHA256 hex-encoded string. Since this string is known to carry four digits, it only takes a "trivial" brute-force attack involving a maximum of 10,000 calculations to decode it. To prove their point, the researchers made a Wallet Cracker app -- demoed after the break -- that does the job quicker than you can say "unexpected overdraft."

Google has been receptive to these findings, but its attempts at a fix have so far been hampered by the need to coordinate with the banks, since changing the way the PIN is stored could also change which agency is responsible for its security. In the meantime, zvelo advises that there are some measures users can take themselves, aside from putting a protective hand over their pockets: refrain from rooting your phone, enable your lock screen, disable USB debugging, enable Full Disk Encryption and keep your handset up-to-date.

Update: Google has responded by emphasizing that it's only users of rooted devices who are at risk. In a statement to TNW it said: "We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone."

[Thanks to everyone who sent this in.]











All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Share
Tweet
Share

Popular on Engadget

Elon Musk announces $100 million prize for new carbon capture tech

Elon Musk announces $100 million prize for new carbon capture tech

View
Put Bernie Sanders almost anywhere with this Google Street View app

Put Bernie Sanders almost anywhere with this Google Street View app

View
'Call of Duty: Warzone' is about to get a big esports push

'Call of Duty: Warzone' is about to get a big esports push

View
Instacart lays off 1,900 workers, including the 10 who formed a union

Instacart lays off 1,900 workers, including the 10 who formed a union

View
President Biden names Jessica Rosenworcel acting FCC chair

President Biden names Jessica Rosenworcel acting FCC chair

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr