Android SecureRandom Bitcoin wallet vulnerability could be used to hack more than 300,000 apps

A flaw in Google Android's cryptographic protocols is leaving as many as 360,000 applications open to attack, Symantec claims.

The security firm announced the figure in a blog post, claiming that the vulnerability, announced by Bitcoin earlier this week, may have wider implications.

"Certain Bitcoin wallet applications using Android's SecureRandom signed multiple transactions using an identical ‘random' number. Since transactions are public on the Bitcoin network, attackers scanned the transaction block chain looking for these particular transactions to retrieve the private key and transfer funds from the Bitcoin wallet without the owner's consent," read the Symantec blog post.

"Other Android apps may be vulnerable to similar attacks depending on how they implement SecureRandom. Looking at Norton Mobile Insight data, we have found over 360,000 applications that make use of SecureRandom and over 320,000 of them use SecureRandom in the same way the Bitcoin wallets did."

The vulnerability was disclosed by Bitcoin at the start of the week. It was first thought to only affect payment services like Bitcoin Wallet, BitcoinSpinner, Mycelium Wallet and Blockchain.info. Symantec has since disclosed further details about the flaw, confirming it relates to the SecureRandom protocols used to authenticate the users identity.

"Bitcoin uses the ECDSA [Elliptic Curve Digital Signature Algorithm] to ensure that funds can only be spent by their rightful owners. The algorithm requires a random number to compute an ECDSA signature, but if two different messages are signed with the same private key and the same random number, the private key can be derived," read the blog post.

"This is a known method of attacking the algorithm and was previously used to break the security of other products, such as the PlayStation 3 master key."

The Symantec researchers confirmed the vulberability should not affect new versions of Android, but said developers should remain extra cautious about their application security. "Android versions from 4.2 (Jelly Bean) and on may not be affected by these specific flaws since SecureRandom was reimplemented," read the post.

"We strongly advise users of Android Bitcoin wallet apps to check whether their applications are affected, and to follow the steps outlined by Bitcoin.org to make their funds safe. We would also like to advise Android developers to stay tuned and review their cryptographic implementations based on SecureRandom and evaluate whether this could pose a security risk."

Bitcoins are a digital currency designed to allow semi-anonymous online transactions to be made. The currency's semi-anonymous nature has proven a hit with many criminal cartels, which use it as a means to hamper law enforcement's ability to track them. Most recently Webroot reported that several black markets have begun taking Bitcoin payments.

• Tweet  
• Facebook  
•  
•  
• Send to  

• Topics
• Security
• Hacking
• cyber-crime
• Android
• Bitcoin