Feeds

Google Wallet PIN security cracked in seconds

Luckily no one important is using it

The Power of One eBook: Top reasons to choose HP BladeSystem

Update A researcher at website categoriser zvelo has discovered Google Wallet's PIN protection is open to a brute-force attack that takes seconds to complete. And Google is powerless to fix the problem, it seems.

The attack is limited to instances where physical access is available, or the phone has been previously "rooted" by the user. Once the assault succeeds the attacker can read the contents of the wallet details such as the transaction history*. Worse still, Google can't address the flaw without shifting responsibility for the PIN onto the banks, who might not want it.

Google Wallet uses Near Field Communications (NFC) a wireless technology so the user can make payments by bonking the phone onto a suitably equipped till. The Google Wallet provides a management interface to the cards stored on the system, and the bonk triggers an encrypted exchange of information between the card and the till authorising the payment.

That exchange remains secure, but when the user wants to edit their card details, or see their transaction history, they use Google Wallet which requires a 4-digit PIN, and it's that PIN which has proved vulnerable.

The chaps at zvelo noticed that the wallet application stores a hash of the PIN, and were thus able to create a matching PIN simply by hashing all 10,000 possible numbers - a process which only takes a few seconds as they've demonstrated on their video.

The hash files, which are accompanied by other data warranting further enquiry, are only available to other applications once a handset has been rooted - the Android OS keeps applications separated so this attack is limited to stolen phones or those rooted by their owners. The latter case is particularly concerning as it would, in theory, allow a rogue app to lift all the data remotely without the user being aware.

The problem, for Google, is that the obvious way to fix this is to move all the data into the secure element on the phone. The secure element is essential to NFC transactions, but falls under the legal responsibility of the payment processor - so moving the PIN into there would change the already complex legal architecture.

There's also the problem of which secure element the PIN would be attached to. Google's existing NFC devices support a secure element in the SIM (under the control of the network operator) as well as one embedded in the handset, and Google Wallet is supposed to provide a single interface to all the securely stored content.

So it looks like a fix won't be coming any time soon, which is bad news for those touting a rooted Google Nexus S, and using Google Wallet to pay for stuff, but unlikely to worry the rest of us immediately. ®

*The credit card numbers, however, cannot be read. Google has been in touch to say that the whole credit card number isn't displayed within the Wallet interface, so Google Wallet remains more secure than its physical equivalent.

Designing a Defense for Mobile Applications

More from The Register

next story
DARPA-derived secure microkernel goes open source tomorrow
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.