Google Wallet PIN can be cracked... on a rooted Android device

An attacker would have to get ahold of an Android that has been rooted to use software that would crack the PIN in Google Wallet.

Researchers find they can use a brute force attack to crack the PIN in Google Wallet, but an attacker would need "root" privileges to do that.
Researchers find they can use a brute force attack to crack the PIN in Google Wallet (as demonstrated in a video on their site, but an attacker would need "root" privileges to do that. zvelo

Researchers at security firm zvelo have discovered that they can crack a Google Wallet PIN using a brute force attack on a device that is "rooted"--i.e., freed of security restrictions imposed by wireless carriers.

But don't panic. Chances are your Android device isn't rooted; typically only developers and true geeks are willing to root the device, which gives the user full control of the device with "root" privileges, but also removes certain protections.

And someone would have to get physical access to the device and install password cracking software on it to get to the PIN. If someone tries to root a device without the owner's permission, the phone wipes itself of all data, including the PIN, according to Google.

As Google says in this statement:

The zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device. To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN.

Google is working on a fix and in the meantime advises Google Wallet users to not root their phones and to set up a screen lock on the device. Zvelo also recommends disabling USB Debugging and enabling full disk encryption, for the truly paranoid.

About the author

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor.

 

Join the discussion

Conversation powered by Livefyre

Show Comments Hide Comments