All the latest UK technology news, reviews and analysis


Android SecureRandom Bitcoin wallet vulnerability could be used to hack more than 300,000 apps

14 Aug 2013
Bitcoin 3D logo

A flaw in Google Android's cryptographic protocols is leaving as many as 360,000 applications open to attack, Symantec claims.

The security firm announced the figure in a blog post, claiming that the vulnerability, announced by Bitcoin earlier this week, may have wider implications.

"Certain Bitcoin wallet applications using Android's SecureRandom signed multiple transactions using an identical ‘random' number. Since transactions are public on the Bitcoin network, attackers scanned the transaction block chain looking for these particular transactions to retrieve the private key and transfer funds from the Bitcoin wallet without the owner's consent," read the Symantec blog post.

"Other Android apps may be vulnerable to similar attacks depending on how they implement SecureRandom. Looking at Norton Mobile Insight data, we have found over 360,000 applications that make use of SecureRandom and over 320,000 of them use SecureRandom in the same way the Bitcoin wallets did."

The vulnerability was disclosed by Bitcoin at the start of the week. It was first thought to only affect payment services like Bitcoin Wallet, BitcoinSpinner, Mycelium Wallet and Blockchain.info. Symantec has since disclosed further details about the flaw, confirming it relates to the SecureRandom protocols used to authenticate the users identity.

"Bitcoin uses the ECDSA [Elliptic Curve Digital Signature Algorithm] to ensure that funds can only be spent by their rightful owners. The algorithm requires a random number to compute an ECDSA signature, but if two different messages are signed with the same private key and the same random number, the private key can be derived," read the blog post.

"This is a known method of attacking the algorithm and was previously used to break the security of other products, such as the PlayStation 3 master key."

The Symantec researchers confirmed the vulberability should not affect new versions of Android, but said developers should remain extra cautious about their application security. "Android versions from 4.2 (Jelly Bean) and on may not be affected by these specific flaws since SecureRandom was reimplemented," read the post.

"We strongly advise users of Android Bitcoin wallet apps to check whether their applications are affected, and to follow the steps outlined by Bitcoin.org to make their funds safe. We would also like to advise Android developers to stay tuned and review their cryptographic implementations based on SecureRandom and evaluate whether this could pose a security risk."

Bitcoins are a digital currency designed to allow semi-anonymous online transactions to be made. The currency's semi-anonymous nature has proven a hit with many criminal cartels, which use it as a means to hamper law enforcement's ability to track them. Most recently Webroot reported that several black markets have begun taking Bitcoin payments.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson
About

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus
Poll

BYOD vs CYOD vs BYOC poll

Which approach is your firm taking to managing employees' mobile devices?
23%
14%
4%
17%
30%
12%

Popular Threads

Powered by Disqus
Galaxy S5 vs iPhone 5S vs Nexus 5 showdown

Galaxy S5 vs iPhone 5S vs Nexus 5

We speed test three of the most popular smartphones

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv33

Data protection: the key challenges

Deduplication is a foundational technology for efficient backup and recovery

rdc2

iPad makes its mark in the enterprise

The iPad can become a supercharged unified communications endpoint, allowing users to enhance their productivity

Digital Project Manager - Creative Technology House

Digital Project Manager - Creative Technology House Henley...

SQL Database Adminstrator (DBA) SQL 2012, SSIS, Windows 2012

SQL Database Adminstrator (DBA) SQL 2012, SSIS, Windows...

SharePoint Lead Developer - SharePoint 2013, C#, .Net

SharePoint Lead Developer – SharePoint 2013, C#, .Net...

Infrastructure Analyst - Storage, SAN, EMC, VMWare, Exchange

Infrastructure Analyst - Storage, SAN, EMC, VMWare, Exchange...
To send to more than one email address, simply separate each address with a comma.