Google Offers Fixes For Android Flaws Used To Steal Bitcoins

Google has come clean about flaws in Android’s pseudo-random number generator that led to the theft of funds from Bitcoin wallets, and offered a number of fixes and patches.

It emerged earlier this week that Bitcoin wallets using Android’s SecureRandom service were vulnerable, with  several reports of stolen BTC balances.

It is believed Bitcoin apps had signed numerous transactions with the same supposedly random number created by Google’s SecureRandom. Every transaction requires a signature of the private key and a freshly generated random number.

If there is more than one occurrence of the same private key and the same “random” number in this process, this can be exploited to acquire the private key of a user and pretend to be them.

Attackers looked at the blockchain, which records all Bitcoin-based transactions, for such repetitions,  according to security experts. They could then glean private keys of Bitcoin applications.

Where the Android weakness lies…

The weakness lies in the pseudorandom number generator (PRNG) in Android’s Java Cryptography Architecture (JCA), Google has admitted.

Android security engineer Alex Klyubin said apps using this “may not receive cryptographically strong values on Android devices due to improper initialisation of the underlying PRNG”. “Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialisation on Android are also affected,” he added.

According to Symantec, over 320,000 Android apps use SecureRandom in the same way Bitcoin wallets do, meaning that many could be vulnerable.

Google has sent patch information to device manufacturers, meaning if its hardware partners push out updates, users should be protected. There is no information on when they might do that, however.

It has also given developers advice. “Developers who use JCA for key generation, signing or random number generation should update their applications to explicitly initialize the PRNG with entropy from /dev/urandom or /dev/random,” Klyubin added.

“Developers should evaluate whether to regenerate cryptographic keys or other random values previously generated using JCA APIs such as SecureRandom, KeyGenerator, KeyPairGenerator, KeyAgreement, and Signature.”

A host of Bitcoin wallets have now been updated, including Bitcoin Wallet, Bitcoin Spinner, Mycelium Bitcoin Wallet and blockchain.info.

Are you a security expert? Try our quiz!