1 Comment

Summary:

Android’s built-in pseudorandom number generator is broken. If you’ve been using an Android Bitcoin wallet app to generate addresses and private keys, that flaw may have opened your wallet up to theft.

empty wallet
photo: Shutterstock/Pressmaster

A flaw in the way Android generates “random” numbers has made many Bitcoin wallets hosted on Android smartphones insecure, Bitcoin developers have said.

On Sunday Bitcoin.org, which is maintained by the crypto-currency’s community, warned that any wallet generated by an Android app was vulnerable to theft. Apps such as Bitcoin Wallet and Mycelium Wallet were affected and are currently being updated. The problem was flagged up by Google security engineer Mike Hearn.

Loose key

Quick cryptography primer: so-called public key cryptography (also the basis for end-to-end email security) involves paired public and private keys, with the public key being the one you show someone else so they can send you an encrypted message, and the private key being the one you hang onto in order to decode what is sent.

Bitcoin uses a similar system. To generate an “address” so someone else can send you bitcoins, a random number is used to create a public/private key pair via algorithm. The public key is then transmogrified by further operations into a recognizable Bitcoin address (starting with a 1 or 3), and the private key makes it possible to use funds held at that address.

Addresses and their associated private keys are generally stored in software “wallets”. Some people use hosted wallet services such as Coinbase, while others choose to keep their wallets on their desktop computers or phones. The people potentially affected in this case would be those who use a wallet app on their Android smartphones to generate and use their Bitcoin addresses and the associated private keys.

Bad repetition

The problem lies in the Android’s built-in pseudorandom number generator, the SecureRandom Java class. (Proper hardware random number generators are slow and expensive specialist components.) It turns out this generator has a bug that causes it to sometimes issue the same number twice – which makes it possible to work backwards to figure out the private key.

If you know what someone’s private key is, you can get effectively into their wallet. This is not a theoretical hazard: some Bitcoin users have recently reported small thefts that were enabled by the earlier reuse of a supposedly random number.

The advice for users of Android Bitcoin wallet apps is to download the latest version (which should use a different pseudorandom number generator), generate a new Bitcoin address, send all personal funds to that address, and let contacts know what the new address is.

  1. Hopefully, lessons will be learned and Bitcoin will become even more secure as a result of this.
    I’ve been having problems with bitaddress dot org site too. Using the Brainwallet function. It generates Public Private key pairs and they work in transactions, but when I try to use blockchain dot info to look at the balance in the brain wallet, it says invalid address. However I can use the Private key to recover my BTCs So the Private key is OK, but the public key is invalid in some way (Not base 56 ?) and yet the Network doesn’t reject the transaction.
    I tried mailing Github but they said to contact the site developer but couldn’t find his address.

    Maybe it’s my Browser (Puppy Linux + Seamonkey and FireFox) though other adresses I’ve generated check out OK, just the later ones, maybe it’s my browser, I dunno.

    Share

Comments have been disabled for this post