Android – Bitcoin vulnerability – Exploit in the wild.

Photo credit: Katarzyna Kieliszek

A blog post over at bitcoin.org alerts currency holders using an Android wallet to a serious underlying vulnerability that could leave their wallets open to would be thieves.

The blog post says only that “an underlying component of Android” contains the flaws that leave Android bitcoin wallet holders at risk of pilfering. However bitcoin wallet app developer Mike Hearn posted to the bitcoin developer mailing list that the exact component is the Android implementation of the Java class SecureRandom.

The effects of this may be much more far reaching than just bitcoin wallets. If Mike’s appraisal is accurate, than *all* private keys generated on the Android platform are cryptographically weak and will require “rotating”, which is a polite way of saying “deleting and recreating”. For those bitcoin wallet users it will also mean generating a new address and sending all their own money back to themselves.

There is no evidence yet that it has been actively exploited, Several bitcoin users have reported being a victim of theft, possibly related to this vulnerability. So for those people using bitcoin wallets on their mobile devices, lets hope the app updates with fixed random number generators are timely. Details of some of the affected apps are available in the bit coin.org blog post.

It will also be interesting to see how the underlying issue in Android affects other apps that rely on cryptography and how a root cause fix can be rolled out across that notoriously fragmented ecosystem. With more and more apps with financial implications and the ever increasing amount of personal information we hold on our mobile devices, vulnerabilities of this nature are high profile and very attractive to today’s online criminal.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>