Android’s Random Number Generator Isn’t, Leaving Bitcoins Vulnerable

Trust Google… *and* smartphones?

It turns out that Android has a critical flaw in its supposedly “secure” — make that “””secure,””” one sneer quote just doesn’t seem enough — random number generator.

The flaw (which causes software to use the same random seeds multiple times) is so severe that anyone who’s generated a Bitcoin wallet on Android may be vulnerable to having their Bitcoins stolen.

Doesn’t matter what software you used, if you use Bitcoins on an Android smartphone, TRANSFER THEM ONTO A DIFFERENT WALLET. NOW. PEOPLE ARE ACTIVELY BEING E-PICKPOCKETED USING THIS FLAW.

Then paint your phone orange and grind the thing on pavement until the orange color has mixed with black plastic to form brown.

http://bitcoin.org/en/alert/2013-08-11-android

http://www.techweekeurope.co.uk/news/all-bitcoin-wallets-on-android-vulnerable-to-theft-124455?ModPagespeed=noscript

“The Bitcoin (BTC) community has warned that due to a recently discovered critical weakness in Android’s secure random number generator, every single Bitcoin wallet for Google’s mobile OS is “vulnerable to theft”.

Bitcoin.org has advised users to transfer all virtual currency from their mobile wallets to a new, secure Bitcoin address, not generated on a smartphone or tablet.

There have already been several reports of stolen BTC balances on Android devices. App developers have been notified, and are currently working to fix the problem.[…]

On Sunday, Bitcoin.org reported the existence of a bug that allows wallets built on Android to reuse the same random number in the Bitcoin transaction signature. If this random number is ever used twice with the same private key, the key can be recovered, giving a third party access to the funds stored at the particular address.

The problem affects all Android wallets developed to date, including Bitcoin Wallet, blockchain.info, BitcoinSpinner, Andreas Schildbach Android Wallet and Mycelium.

In response, Bitcoin.org has instructed users to forward the balance to an alternative address not generated on Android. The website notes that apps which don’t control the private keys are not affected: “For example, exchange frontends like the Coinbase or Mt Gox apps are not impacted by this issue because the private keys are not generated on your Android phone.”

New Bitcoin wallet addresses can be generated for free in less than a minute, so the operation shouldn’t be too difficult.

“If you use an Android wallet then we strongly recommended you upgrade to the latest version available in the Play Store as soon as one becomes available,” concludes the statement.”

Advertisements
%d bloggers like this: