Although Google has released some great new software this week, like Google Chrome for Android’s Ice Cream Sandwich, and updated some of their own software, including an update to Google Chrome which allows pages to be pre-rendered as the user types into the omnibar and a malicious code checker, Google has some problem they are going to have to fix. In the past two days, Zvelo has demonstrated that Google Wallet for any Android compatible devices can be accessed by malicious user.

Initially, when the report came out, the security firm Zvelo showed that rooted Android devices were vulnerable to the attack. They demonstrated that the Google Wallet’s PIN number in the app can be discovered through the use of bute force since the Wallet app saves the user’s PIN number on the phone itself and not the secured NFC chip on the phone. Zvelo has reported it with Google and  has said…

The lynch-pin, however, was that within the PIN information section was a long integer “salt” and a SHA256 hex encoded string “hash”. Knowing that the PIN can only be a 4-digit numeric value, it dawned on us that a brute-force attack would only require calculating, at most, 10,000 SHA256 hashes…This completely negates all of the security of this mobile phone payment system.

A day after the initial report, the same security firm has discovered another exploit to the Google Wallet App which affects all Google Wallet compatible Android devices, not just rooted Android devices. The exploit requires no hacking at all. It simply requires the attacker to simply clear the data in the app settings, which will force Google Wallet to reset itself and prompt the user for a new PIN. Once the Google wallet app has been reseted,  the attacker ties in a Google Prepaid card to the account and then all previously available funds are once again accessible to the attacker. As of right now, this exploit has been, again, reported and confirmed with Google and tested on multiple devices. Google has said, in a statement…

We strongly encourage anyone who loses or wants to sell their phone to call Google Wallet support toll-free at 855-492-5538 to disable the prepaid card. We are currently working on an automated fix as well that will be available soon. We also advise all Wallet users to set up a screen lock as an additional layer of protection for their phone.

Looks like it is back to the drawing boards for Google and their Wallet app.

Comments