backtop


Print 12 comment(s) - last by KOOLTIME.. on Feb 10 at 6:21 PM

App is vulernable to quick brute-force attacks on rooted phones

Near field communications (NFC) technology has been around overseas for over half a decade now, but it's finally jumping from the Asian market to the United States.  The technology allows you to wave your smartphone over readers to pay for anything from gas to groceries.

One of the key players in this emerging market is Google Inc. (GOOG).  Of the major phone OS platform makers, Google has pushed the hardest to deeply integrate NFC.  In May 2011 it announced a new payment app/service called "Google Wallet", which it launched in Nov. 2011.

Now a zero-day vulnerability -- discovered by Josh Rubin, et al. (presumably no relation to Android chief Andy Rubin) of the hacker site zvelo -- is raising concerns that it may be easy to digitally "mug" some Google Wallet users.  The issue, it turns out, is that Google's open source of the Wallet app reveals the crux of its security -- a SHA-256 hex-encoded 4-digit pin.  SHA-256 is typically pretty good encryption, but when you're dealing with a four character numeric sequence, it's almost as crackable by brute force attack as traditional MD5 passwords.



Mr. Rubin calls the task "trivial".

Google has responded, saying it is working to plug the hole.  The company emphasizes that (for now) only rooted phone users are at risk.  It states, "We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone."

On normal phones the files involved are protected both by the sandboxing (requiring permissions to access the file system) and by visibility restrictions.  Much like Carrier IQ's files, a normal file browser app cannot "see" the encrypted file on an unrooted device -- it's hidden.

That said, there are many rooted devices in the wild, including those owned by many developers.  Zvelo says that rooted users can protect themselves somewhat by avoiding apps with suspicious permissions, enabling lock-screen protection, keeping their installed Android version up-to-date, and turning on full-disk encryption.

Google is working on an update, but is reportedly slowed by having to broker changes in its service's security with its partner banks.

Thus far Google Wallet has few users, for lack of compatible devices.  The technology is new to Android 4.0 Ice Cream Sandwich (ICS).  Verizon Wireless -- the joint venture Verizon Communications Inc. (VZ) and Vodafone Group Plc. (LON:VOD) -- who has one of the most popular Android ICS phone, the Galaxy Nexus, has banned Google Wallet.  Reportedly it is plotting its own mobile payment system to compete with Google's.

Source: zvelo



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

We need to get rid of 4 digit PINs!
By jnemesh on 2/9/2012 11:37:38 AM , Rating: 4
I know, they are easy to remember...but they are inherently not secure! Its WAY past time we move on to either some form of biometric security, or at the very least 7-10 digit alphanumeric passwords!




RE: We need to get rid of 4 digit PINs!
By Kurz on 2/9/2012 11:44:48 AM , Rating: 2
There is no brute force being applied to the pin code.

It seems while the phone is rooted the pin is accessible in the background. Hence they stated non-rooted phones pose no security risk at this time.


By Samus on 2/9/2012 1:13:48 PM , Rating: 3
If pins were alphanumeric (and not just numeric) it would render brute force virtually useless. The issue is determining a global alphabet, as all countries acknowledge the numbers 0-9 ;)


RE: We need to get rid of 4 digit PINs!
By Jeffk464 on 2/9/2012 3:23:56 PM , Rating: 2
Yup, this is why I have been afraid to use this app. You had to figure this was going to happen.


By steven975 on 2/9/2012 3:59:21 PM , Rating: 1
At this point it's a prepaid debit card that you can load only small amounts on.

You can get a CC from Citibank, but that would be subject to the same credit card liablilty rules.

It's far easier for a low-level bank employee to just make a credit card than a hacker to steal yours from Wallet.


Some inaccuracies
By theapparition on 2/9/2012 2:13:45 PM , Rating: 2
Verizon hasn't "banned" Google Wallet.

If that were the case, then why isn't Google Wallet also unavailable to European Galaxy Nexus users.

Secondly, all you need to do to install it on the Galaxy Nexus is sideload it, no rooting required.




RE: Some inaccuracies
By steven975 on 2/9/2012 4:02:48 PM , Rating: 2
you actually don't even have to do that.
There's a glitch in the Market that will allow you to get it right from the Market. Verizon has not blocked the app from the market, only the search results.

I installed Wallet right from the Market on my un-rooted VZW GN.


encryption
By BigDH01 on 2/9/2012 5:49:27 PM , Rating: 3
quote:
The issue, it turns out, is that Google's open source of the Wallet app reveals the crux of its security -- a SHA-256 hex-encoded 4-digit pin. SHA-256 is typically pretty good encryption , but when you're dealing with a four character numeric sequence, it's almost as crackable by brute force attack as traditional MD5 passwords.


SHA-256 is a hashing algorithm. Encryption is a reversible process.




Give it a week
By quiksilvr on 2/9/2012 11:02:07 AM , Rating: 2
The community is very strong and prudent about vulnerabilities like this. It will be fixed in no time.




Thank you!
By acarrillojr on 2/9/2012 1:44:19 PM , Rating: 2
On behalf of zvelo, Inc., thank you dearly for covering this story.




Android is not secure!!!!
By tayb on 2/9/2012 5:59:15 PM , Rating: 2
(Insert blanket statement about Android security here)

If you root your phone you are basically breaking out of the "bubble" you've been placed in. I really wish articles like this would make it more clear that regular users who have not rooted their phones are NOT at risk. This type of misinformation spreads really fast. It happens all the time with Android and with iOS.




so what?
By KOOLTIME on 2/10/2012 6:21:24 PM , Rating: 1
ID prefer not to do credit system on top of a monthly bill for service the phone company charges. As invarably they will add extra fees for that service, which is not a good deal financially to anyone. Milking money out of an already interest rate milking credit system, on top of that, is just not really a finance responsible choice for most.




"Folks that want porn can buy an Android phone." -- Steve Jobs














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki