All the latest UK technology news, reviews and analysis

Android SecureRandom Bitcoin wallet vulnerability could be used to hack more than 300,000 apps

14 Aug 2013
Bitcoin 3D logo

A flaw in Google Android's cryptographic protocols is leaving as many as 360,000 applications open to attack, Symantec claims.

The security firm announced the figure in a blog post, claiming that the vulnerability, announced by Bitcoin earlier this week, may have wider implications.

"Certain Bitcoin wallet applications using Android's SecureRandom signed multiple transactions using an identical ‘random' number. Since transactions are public on the Bitcoin network, attackers scanned the transaction block chain looking for these particular transactions to retrieve the private key and transfer funds from the Bitcoin wallet without the owner's consent," read the Symantec blog post.

"Other Android apps may be vulnerable to similar attacks depending on how they implement SecureRandom. Looking at Norton Mobile Insight data, we have found over 360,000 applications that make use of SecureRandom and over 320,000 of them use SecureRandom in the same way the Bitcoin wallets did."

The vulnerability was disclosed by Bitcoin at the start of the week. It was first thought to only affect payment services like Bitcoin Wallet, BitcoinSpinner, Mycelium Wallet and Symantec has since disclosed further details about the flaw, confirming it relates to the SecureRandom protocols used to authenticate the users identity.

"Bitcoin uses the ECDSA [Elliptic Curve Digital Signature Algorithm] to ensure that funds can only be spent by their rightful owners. The algorithm requires a random number to compute an ECDSA signature, but if two different messages are signed with the same private key and the same random number, the private key can be derived," read the blog post.

"This is a known method of attacking the algorithm and was previously used to break the security of other products, such as the PlayStation 3 master key."

The Symantec researchers confirmed the vulberability should not affect new versions of Android, but said developers should remain extra cautious about their application security. "Android versions from 4.2 (Jelly Bean) and on may not be affected by these specific flaws since SecureRandom was reimplemented," read the post.

"We strongly advise users of Android Bitcoin wallet apps to check whether their applications are affected, and to follow the steps outlined by to make their funds safe. We would also like to advise Android developers to stay tuned and review their cryptographic implementations based on SecureRandom and evaluate whether this could pose a security risk."

Bitcoins are a digital currency designed to allow semi-anonymous online transactions to be made. The currency's semi-anonymous nature has proven a hit with many criminal cartels, which use it as a means to hamper law enforcement's ability to track them. Most recently Webroot reported that several black markets have begun taking Bitcoin payments.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus

Work location poll - office, remote or home?

Where do you spend most time working on your primary work device?

Popular Threads

Powered by Disqus
LG G Flex 2 hands-on review

CES 2015: LG G Flex 2 video

A closer look at LG's latest curved-screen smartphone

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Beacon technology: what are the opportunities and how does the technology work?

This paper seeks to provide education and technical insight to beacons, in addition to providing insight to Apple's iBeacon specification


Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Senior Product Manager - Enterprise Software Vendor - London

Senior Product Manager sought for Global Enterprise Software...

Director - Business Analysis to 115k base fx banking

Director - Business Analysis - FX banking to c.115k base...

Mobile Application Developer (iOS, Android, Core Animation, C++

Mobile Application Developer (iOS, Android, Core Animation...

Head of IT (Business Systems)

Head of IT with retail experience currently required...
To send to more than one email address, simply separate each address with a comma.