This hasn’t been a good week for Google Wallet, the mobile app that stores your credit cards so you can easily make payments with your phone. Yesterday, zvelo engineer Joshua Rubin revealed that the 4-digit PIN used to authenticate users of the app is stored as a SHA256 hash on the device, and this hash is easily obtained if the device is rooted. The problem here isn’t that SHA256 is insecure (on the contrary, it is a highly recommended hashing algorithm), but rather that there are only 10,000 possible values that the PIN could be (0000 to 9999 inclusive). This means that a brute-force attack is easily executed by simply SHA256 hashing each possible PIN and checking the resultant hash with the one stored on the device.

The following video shows the attack in action. The team who found the vulnerability simply created a separate app that reads the stored hash value and brute-forces it. It only takes the app a few seconds to crack the hash.

If you thought that was a bad design decision by Google, you haven’t seen anything yet. As it turns out, there is no need to root the device or crack the hash, as all an attacker needs to do is ask the phone to reset the Google Wallet application data. This wipes the PIN from storage, but not any card details, so when the Google Wallet app is next opened it asks you for a new PIN and lets you use the stored card details immediately:

Karsten Nohl and Sylvain Munaut from Security Research Labs have cracked GSM, enabling them to eavesdrop on any call made by a target device. The pair demonstrated their research at the Chaos Computer Club Congress (CCC), and have released a rough guide to the attack on their website.

What appears to be unique to this type of attack on GSM is that an attacker can specify an actual target device to eavesdrop on. Using a set of cheap Motorola phones with open-source firmware, the researchers were able to see all data being broadcast by the GSM base station. Once a target device is located, the relevant data can be unencrypted by finding the GSM encryption key using a set of rainbow tables. The set of tables used by the researchers was generated over a two month period in a previous research project, and is 2TB in size. An attacker only needs two encrypted known plaintext messages to have a 90% chance of finding the secret key.

In Nohl’s own words, “Now there’s a path from your telephone number to me finding you and listening to your calls, the whole way.”

Let’s just hope the GSM Association (GSMA) take on board the research, and pay special attention to the relative easiness and low cost of actually executing the attack. According to the BBC News write-up, the association have yet to comment on the attack.