• Home
  • News
  • Reviews
  • Digital technology
  • Cloud
  • Data analytics
  • Digital leaders
  • IoT
  • Opinion
  • Events
  • Resources
  • Data Strategy Spotlight
  • Newsletters
  • Sign in
  • Events
    • Follow V3 Events

      Sign up to receive email alerts about our events

      Sign up
  • Resources
    • V3resources 120x194
      Network Security Forensics For GDPR Compliance

      An effective network security forensics strategy can assist an organization in providing key compliance-related details as part of any post-incident GDPR investigation.

      Download
      V3resources 120x194
      10 ways to increase productivity with managed Office 365

      For businesses large and small, relying on a cloud-based collaboration and productivity suite such as Microsoft Office 365 is becoming the norm. Enhancing productivity in your organisation is vital to get ahead in 2017 - and using Office 365 can help, if it's used right...

      Download
      Find resources
      Search by title or subject area
      View all resources
  • Data Strategy Spotlight
  • Sign in
  •  
    •  

      You are currently accessing V3 .co.uk via your Enterprise account.

      Personalise your on site experience

      Download and use the apps

      Access your subscription from outside of the office

      Get relevant news and insight straight to your inbox

      • Sign in
     
      • Newsletters
      • Account details
      • Contact support
      • Sign out
     
  • Follow us
    • RSS
    • Twitter
    • Newsletters
    • Facebook
    • YouTube
  • Register
  • News
  • Reviews
  • Digital technology
  • Cloud
  • Data analytics
  • Digital leaders
  • IoT
  • Opinion
 
  •  

    You are currently accessing V3 .co.uk via your Enterprise account.

    Personalise your on site experience

    Download and use the apps

    Access your subscription from outside of the office

    Get relevant news and insight straight to your inbox

    • Sign in
 
    • Newsletters
    • Account details
    • Contact support
    • Sign out
 
V3.co.uk
  • Security

Android SecureRandom Bitcoin wallet vulnerability could be used to hack more than 300,000 apps

Symantec says Android 4.2 users should be safe from cryptography flaw fallout

Bitcoin 3D logo
  • Alastair Stevenson
  • Alastair Stevenson
  • @MonkeyGuru
  • 14 August 2013
  • Tweet  
  • Facebook  
  •  
  •  
  • Send to  
0 Comments

A flaw in Google Android's cryptographic protocols is leaving as many as 360,000 applications open to attack, Symantec claims.

The security firm announced the figure in a blog post, claiming that the vulnerability, announced by Bitcoin earlier this week, may have wider implications.

"Certain Bitcoin wallet applications using Android's SecureRandom signed multiple transactions using an identical ‘random' number. Since transactions are public on the Bitcoin network, attackers scanned the transaction block chain looking for these particular transactions to retrieve the private key and transfer funds from the Bitcoin wallet without the owner's consent," read the Symantec blog post.

"Other Android apps may be vulnerable to similar attacks depending on how they implement SecureRandom. Looking at Norton Mobile Insight data, we have found over 360,000 applications that make use of SecureRandom and over 320,000 of them use SecureRandom in the same way the Bitcoin wallets did."

The vulnerability was disclosed by Bitcoin at the start of the week. It was first thought to only affect payment services like Bitcoin Wallet, BitcoinSpinner, Mycelium Wallet and Blockchain.info. Symantec has since disclosed further details about the flaw, confirming it relates to the SecureRandom protocols used to authenticate the users identity.

"Bitcoin uses the ECDSA [Elliptic Curve Digital Signature Algorithm] to ensure that funds can only be spent by their rightful owners. The algorithm requires a random number to compute an ECDSA signature, but if two different messages are signed with the same private key and the same random number, the private key can be derived," read the blog post.

"This is a known method of attacking the algorithm and was previously used to break the security of other products, such as the PlayStation 3 master key."

The Symantec researchers confirmed the vulberability should not affect new versions of Android, but said developers should remain extra cautious about their application security. "Android versions from 4.2 (Jelly Bean) and on may not be affected by these specific flaws since SecureRandom was reimplemented," read the post.

"We strongly advise users of Android Bitcoin wallet apps to check whether their applications are affected, and to follow the steps outlined by Bitcoin.org to make their funds safe. We would also like to advise Android developers to stay tuned and review their cryptographic implementations based on SecureRandom and evaluate whether this could pose a security risk."

Bitcoins are a digital currency designed to allow semi-anonymous online transactions to be made. The currency's semi-anonymous nature has proven a hit with many criminal cartels, which use it as a means to hamper law enforcement's ability to track them. Most recently Webroot reported that several black markets have begun taking Bitcoin payments.

  • Tweet  
  • Facebook  
  •  
  •  
  • Send to  
  • Topics
  • Security
  • Hacking
  • cyber-crime
  • Android
  • Bitcoin

V3 Latest

TSMC starts high volume production of 7nm chips
TSMC starts high volume production of 7nm chips

Claims to have "the most competitive logic density" in the industry

  • Components
  • 25 April 2018
Dell unveils Precision 5530 2-in-1 mobile workstation with Radeon Pro WX Vega M GL graphics
Dell unveils Precision 5530 2-in-1 mobile workstation with Radeon Pro WX Vega M GL graphics

Dell's high-end mobile workstations upgraded with Intel Coffee Lake CPUs

  • Hardware
  • 25 April 2018
Europol coordinates close down of 'world's biggest' DDoS-for-hire service
Europol coordinates close down of 'world's biggest' DDoS-for-hire service

Webstresser admins were also arrested in the UK, Croatia, Canada and Serbia

  • Security
  • 25 April 2018
Almost 90 per cent of UK websites suffer from 'serious' security flaws
Almost 90 per cent of UK websites suffer from 'serious' security flaws

Security firm claims that 117,638 sites out of 135,035 analysed contain serious security flaws

  • Security
  • 25 April 2018
Back to Top

Most read

Oracle: Java SE 8 business users must buy a licence from January next year
Oracle: Java SE 8 business users must buy a licence from January next year
AI could improve global stability from around 2040, claims US thinktank RAND Corporation
AI could improve global stability from around 2040, claims US thinktank RAND Corporation
How NoSQL database technology and IoT sensors are being put to work saving endangered elephants and tigers
How NoSQL database technology and IoT sensors are being put to work saving endangered elephants and tigers
MPs demand answers from TSB over online banking 'meltdown' following platform migration
MPs demand answers from TSB over online banking 'meltdown' following platform migration
British security start-up launches lip-sync authentication technology
British security start-up launches lip-sync authentication technology
  • Contact
  • Marketing solutions
  • Enterprise IT Events
  • About
  • Terms & conditions
  • Privacy policy
  • RSS
  • Twitter
  • Newsletters
  • Facebook
  • YouTube

© Incisive Business Media (IP) Limited, Published by Incisive Business Media Limited, New London House, 172 Drury Lane, London WC2B 5QR, registered in England and Wales with company registration numbers 09177174 & 09178013

Digital publisher of the year
Digital publisher of the year 2010, 2013, 2016 & 2017