Android Security Glitch Leaves Bitcoin Wallets Open To Theft
Michael Harper for redOrbit.com – Your Universe Online
A weakness in the Android operating system has been found to leave Bitcoin wallets vulnerable to theft, according to a blog post on Bitcoin.org. A component which generates random and secure numbers is blamed for this weakness, which now leaves all wallets generated by Android apps open targets of theft.
The Bitcoin blog post takes care to mention this is a weakness with the Android mobile operating system and not Bitcoin or any specific Bitcoin apps. Apps that act only as a front end to the wallet where users do not control the private keys are not affected, however. Bitcoin says these apps are unaffected because they do not generate the random and secure numbers used to privately access the bitcoin wallet. App developers are now preparing updates to address this vulnerability.
“In order to re-secure existing wallets, key rotation is necessary,” reads the Bitcoin.org blog posted yesterday. “This involves generating a new address with a repaired random number generator and then sending all the money in your wallet back to yourself. If you use an Android wallet then we strongly recommend you to upgrade to the latest version available in the Play Store as soon as one becomes available.”
In a Bitcoin developer forum, Mike Hearn claims Java is to blame for this Android weakness.
“A few days ago we learned that the Android implementation of the Java SecureRandom class contains multiple severe vulnerabilities. As a result all private keys generated on Android phones/tablets are weak and some signatures have been observed to have colliding R values, allowing the private key to be solved and money to be stolen,” writes Hearn.
The Bitcoin blog post also suggests using Bitcoin Wallet by developer Andreas Schildbach. This app will automatically rotate the private keys after being updated from the Google Play store. Any old keys will then be listed as insecure in the user’s address book.
Other Bitcoin wallet apps, such as BitcoinSpinner, Mycelium Wallet and blockchain.info are being updated to protect users from potential Bitcoin theft.
The private keys in question are used by Bitcoin to securely confirm the identity of each user. Public and private versions of these keys are mathematically linked to complete any transaction. When someone transfers Bitcoins to another user, for example, they’ll sign the transaction with the private key; this key is then validated by the public key.
Bitcoin, a digital currency, has been viewed with suspicion since its very first inception. The anonymous nature of the currency has been seen by those engaging in questionable activity as a way to send and receive money without a paper trail. To head off any future criminal activity, the Financial Crimes Enforcement Network of the US Department of the Treasury ruled earlier this year that Bitcoin exchanges and administrators must be registered as Money Services Businesses, thereby forcing them to comply with any and all anti-money laundering regulations, according to a PCWorld article.
Last month, security researcher Brian Krebs uncovered a cyber-prank in which hackers on a Russian forum attempted to use Bitcoins to purchase heroin through the online black market known as the “Silk Road.”
The hackers had the drugs shipped to Krebs’ home and alerted the police, but the researcher had been working with the FBI on this matter before the illegal drugs could arrive.