Last week, thieves hijacked Bitcoin transactions and stole approximately US$5,720 worth of Bitcoins from Android digital wallet apps. This week, we know how they did it.
In a blog post yesterday by Android Security Engineer Alex Klyubin, Google revealed that flaws in Android’s Java and OpenSSL crypto PRNG (pseudorandom number generator) led to the theft of more than 55 Bitcoins.
“We have now determined that applications which use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices due to improper initialization of the underlying PRNG,” he wrote.
A Bitcoin security advisory published on Tuesday named an “incomplete list” of four vulnerable wallet apps—Bitcoin Wallet, Blockchain, BitcoinSpinner and Mycelium Bitcoin Wallet—that have since been updated to patch the PRNG flaw.
The advisory also mentions that apps without private key control, such as Coinbase and Mt.Gox are not affected, which lines up with Klyubin’s further statement on the glitch: “Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android are also affected. Apps that establish encrypted connections using the HttpClient and java.net classes aren’t vulnerable.”
PRNGs generate long, impossible-to-predict numbers to ensure secret encryption keys or digital signatures. The exploited Android apps presumed a transaction number was random, when in fact the thieves used the same number to pilfer multiple transactions. Klyubin had suggestions and example code to show developers how to fix the problem.
“Developers who use JCA for key generation, signing or random-number generation should update their applications to explicitly initialize the PRNG with entropy from /dev/urandom or /dev/random,” he said. “Also, developers should evaluate whether to regenerate cryptographic keys or other random values previously generated using JCA APIs such as SecureRandom, KeyGenerator, KeyPairGenerator, KeyAgreement, and Signature.”
Google wasn’t the first to reveal the Android vulnerability, though. Several hours before the blog post, security researchers from Symantec issued a report on upwards of 360,000 apps using the SecureRandom class, containing the PRNG flaw in Bitcoin’s Elliptic Curve Digital Signature Algorithm (ECDSA).
According to the Symantec report, the algorithm requires a random number to compute an ECDSA signature, but if two different messages are signed with the same private key and the same random number, the private key can be cracked. This known method of attacking the algorithm was previously used to break the security of other products like the PlayStation 3.
For the moment it looks as if Android’s Bitcoin wallet apps are once again secure, at least until thieves uncover another way to siphon off the electronic currency. The PRNG flaw is patched in the main Bitcoin wallet apps affected, and developers are armed with instructions to shore up their own apps.
The Android blog post thanked students Soo Hyeon Kim and Daewan Han of the Electronic and Telecommunications Research Institute, and Dong Hoon Lee of Korea University, for notifying Google of the OpenSSL PRNG vulnerability.