Feeds

Google Wallet PIN security cracked in seconds

Luckily no one important is using it

Choosing a cloud hosting partner with confidence

Update A researcher at website categoriser zvelo has discovered Google Wallet's PIN protection is open to a brute-force attack that takes seconds to complete. And Google is powerless to fix the problem, it seems.

The attack is limited to instances where physical access is available, or the phone has been previously "rooted" by the user. Once the assault succeeds the attacker can read the contents of the wallet details such as the transaction history*. Worse still, Google can't address the flaw without shifting responsibility for the PIN onto the banks, who might not want it.

Google Wallet uses Near Field Communications (NFC) a wireless technology so the user can make payments by bonking the phone onto a suitably equipped till. The Google Wallet provides a management interface to the cards stored on the system, and the bonk triggers an encrypted exchange of information between the card and the till authorising the payment.

That exchange remains secure, but when the user wants to edit their card details, or see their transaction history, they use Google Wallet which requires a 4-digit PIN, and it's that PIN which has proved vulnerable.

The chaps at zvelo noticed that the wallet application stores a hash of the PIN, and were thus able to create a matching PIN simply by hashing all 10,000 possible numbers - a process which only takes a few seconds as they've demonstrated on their video.

The hash files, which are accompanied by other data warranting further enquiry, are only available to other applications once a handset has been rooted - the Android OS keeps applications separated so this attack is limited to stolen phones or those rooted by their owners. The latter case is particularly concerning as it would, in theory, allow a rogue app to lift all the data remotely without the user being aware.

The problem, for Google, is that the obvious way to fix this is to move all the data into the secure element on the phone. The secure element is essential to NFC transactions, but falls under the legal responsibility of the payment processor - so moving the PIN into there would change the already complex legal architecture.

There's also the problem of which secure element the PIN would be attached to. Google's existing NFC devices support a secure element in the SIM (under the control of the network operator) as well as one embedded in the handset, and Google Wallet is supposed to provide a single interface to all the securely stored content.

So it looks like a fix won't be coming any time soon, which is bad news for those touting a rooted Google Nexus S, and using Google Wallet to pay for stuff, but unlikely to worry the rest of us immediately. ®

*The credit card numbers, however, cannot be read. Google has been in touch to say that the whole credit card number isn't displayed within the Wallet interface, so Google Wallet remains more secure than its physical equivalent.

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.