The Latest in IT Security

The Android BitCoin vulnerability explained

20
Aug
2013

Last week Google announced a weakness in the Android platform that left users of certain BitCoin wallet applications at risk and potentially allowing the theft of funds.

Upon further examination, it emerged that the Android implementation of Java SecureRandom class contains a vulnerability that prevents the generation of secure random numbers to protect the wallet applications.

As a result, some signatures have been observed to possess colliding values that allow the private key (designed to protect the money in Bitcoin) to be revealed and money to be stolen.

The security issue is specific to the Android operating system and affects all Android applications that generate private keys on the user’s mobile device.

Technical overview

Since Android was released in 2008, it has used a Java Cryptography Architecture (JCA) that includes a class known as SecureRandom that provides a cryptographically strong random number generator (RNG).

Android is supposed to generate a random number whenever an Android application invokes SecureRandom (http://developer.android.com/reference/java/security/SecureRandom.html) with the output of this process supposedly unpredicatable.

Applications which use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices due to improper initialization of the underlying PRNG (Pseudo Random Number Generator).

SecureRandom is supposed to run Android’s OpenSSL PRNG with an entropy seed from /dev/urandom, a protected system root file. But with this exploit, Android applications did not access the urandom file at all, indicating that a truly random seed was not used during the generation process.

The random numbers generated turned out to be less random than expected and may be repeated and therefore are predictable.

Below you can see some of the info Google shared about the vulnerability:

Source: http://android-developers.blogspot.co.il/2013/08/some-securerandom-thoughts.html

The thieves who abused this vulnerability probably scanned Bitcoin transactions and looked for repeats in the public keys that helped them later to solve the private keys, information that should only be known to the owner of the Android device.

Having the private key, they could then transfer money from the user’s account to a different one.

Below you can see the info shared on BitCoin’s blog about the vulnerability:

Source: http://bitcoin.org/en/alert/2013-08-11-android

What is BitCoin? Why target BitCoin?

Bitcoin is an online “currency” – virtual tokens that can be exchanged for goods and services the same as with “real” money.

The current value of BitCoin is more than 100 US dollars as seen in the chart below:

Source: http://blockchain.info/charts/market-price

It is important to mention that today there are malware families that perform Bitcoin mining (DevilRobber Trojan that targets Mac machines and mines Bitcoins), steal content of the Bitcoin wallet (Coinbit stealer or the case mentioned in this blog post) or launch Distributed Denial Of Service (DDOS) attacks against miners (BackDoor BTmine).

Thieves and malware authors are constantly finding creative ways to steal money so it was just a matter of time until they discovered the bug found in the Android implementation of Java SecureRandom.

For them it’s just another opportunity to swipe virtual cash from unsuspecting users.

Bitcoin is very popular among criminals or the cyber underground for money laundering.

You can anonymously transact and exchange the virtual currency for Dollars, Euros or gold.

Recently Benjamin Lawsky, superintendent of the US Department of Financial Services, said in a memo that the agency is considering new regulatory guidelines for virtual currencies (http://news.cnet.com/8301-1023_3-57598220-93/bitcoin-comes-under-scrutiny-from-new-york-regulators/ ).

How much money was stolen?

Well, it is hard to know as BitCoin has not made any statement and this bug has been around for a long time.

So far, it appears that the vulnerability has been used to steal at least 55 BTC (approximately $5,720).

Is that the first security incident involve with BitCoin?

No, we’ve already seen a few cases in the past relating to the security of BitCoin.

Bitcoin exchange BitFloor closed after virtual heist on September 2012 when nearly a quarter million dollars worth of the peer-to-peer currency was stolen by accessing unencrypted backup wallet keys (https://bitcointalk.org/index.php?topic=105818.0).

Nils Schneider, a researcher, published in his blog how he discovered a potential weakness in some Bitcoin implementations – recovering Bitcoin private keys using weak signatures from the blockchain (http://www.nilsschneider.net/2013/01/28/recovering-bitcoin-private-keys.html ) on December 25th of 2012 which means the pseudo random generators were not truly random or secure so as a result the private keys could be recovered.

On April 2013 Another Bitcoin Wallet Service, Instawallet, suffers from attack and decided to suspend itself and shut down (http://techcrunch.com/2013/04/03/bitcoin-instawallet/).

Not directly related to BitCoin itself but on March 2013 three researchers published information about weaknesses they found in Java Pseudo Random Number Generators ( http://armoredbarista.blogspot.ie/2013/03/randomly-failed-weaknesses-in-java.html) which affects the randomness of numbers generated by SecureRandom.

Does it affect only Wallet applications?

Beside the reputation of BitCoin as a secure, anonymous currency this vulnerability could mean trouble for an enormous number of other Android applications.

For example other types of application that might make use of SecureRandom to generate unique identifiers or (like with Bitcoin wallet applications) as encryption keys for secure communication.

This could potentially make communications and user data from the affected applications, that implement unsecure unique identifiers, vulnerable to attack.

How long is this vulnerability going to exist?

Google on their response in the Android developers’ blog (http://android-developers.blogspot.ie/2013/08/some-securerandom-thoughts.html) stated that:

“Android has developed patches that ensure that Android’s OpenSSL PRNG is initialized correctly. Those patches have been provided to OHA partners.”

This indicates that millions of Android devices in the wild will remain bugged as most Android devices are not updated in a timely manner.

Some wallet applications have already been updated, but some have not so it will take an unknown time to all the wallet applications that vulnerable to update their implementation.

So in addition to this developer recommendation to update their implementation, Android has developed and released patches that ensure that the vulnerability will be mitigated.

What users can do to low the risk of been attacked?

The following instructions were taken from BitCoin website (http://bitcoin.org/en/alert/2013-08-11-android):

“In order to re-secure existing wallets, key rotation is necessary. This involves generating a new address with a repaired random number generator and then sending all the money in your wallet back to yourself. If you use an Android wallet then we strongly recommend you to upgrade to the latest version available in the Play Store as soon as one becomes available. Once your wallet is rotated, you will need to contact anyone who has stored addresses generated by your phone and give them a new one.

If you can’t update your Android app, alternatively, you can send your bitcoins to a Bitcoin wallet on your computer until your Android app can be updated. You should make sure not to send back your bitcoins to your old insecure addresses.”

Leave a reply


Categories

SUNDAY, OCTOBER 22, 2017

Featured

Archives

Latest Comments

Social Networks