Google Wallet PIN can be cracked… on a rooted Android device

Posted: February 10, 2012 in Vulnerabilities

Researchers at security firm zvelo have discovered that they can crack a Google Wallet PIN using a brute force attack on a device that is “rooted”–i.e., freed of security restrictions imposed by wireless carriers.

But don’t panic. Chances are yourAndroid device isn’t rooted; typically only developers and true geeks are willing to root the device, which gives the user full control of the device with “root” privileges, but also removes certain protections.

And someone would have to get physical access to the device and install password cracking software on it to get to the PIN. If someone tries to root a device without the owner’s permission, the phone wipes itself of all data, including the PIN, according to Google.

As Google says in this statement:

The zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device. To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN.

Google is working on a fix and in the meantime advises Google Wallet users to not root their phones and to set up a screen lock on the device. Zvelo also recommends disabling USB Debugging and enabling full disk encryption, for the truly paranoid.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s