Bitcoin Transactions on Android Vulnerable to Theft

A vulnerability in the secure random number generator used on the Android platform to secure Bitcoin transactions leaves wallets open to theft.

Bitcoin wallets on the Android platform are vulnerable to theft after a vulnerability was discovered that could allow an attacker to guess a private key used to secure transactions involving the virtual currency.

A post to a Bitcoin forum over the weekend pointed to a report of one address having 55.8 Bitcoins stolen. As of this morning, one Bitcoin was worth $104.52 according to an online Bitcoin exchange calculator.

“All private keys generated on Android phones/tablets are weak and some signatures have been observed to have colliding R values, allowing the private key to be solved and money to be stolen,” said developer Mike Hearn who wrote an alert on a Bitcoin development mailing list.

The vulnerability is in the Android implementation of the Java SecureRandom random number generator. An alert on bitcoin.org urges users to rotate their keys and generate new addresses with a repaired random number generator and then send your Bitcoin funds back to yourself.

According to the alert, Bitcoin Wallet has been patched and update 3.15 is available on Google Play. BitcoinSpinner users are being told to upgrade to Mycelium Wallet; update v0.6.5 is available from Google Play or the Mycelium website. Blockchain[.]info, meanwhile, is still vulnerable and a patch is being developed.

“If you use an Android wallet then we strongly recommend you to upgrade to the latest version available in the Play Store as soon as one becomes available,” according to the Bitcoin.org alert. “Once your wallet is rotated, you will need to contact anyone who has stored addresses generated by your phone and give them a new one.”

Users should note that apps where the user does not control the private keys, such as exchanges like Mt. Gox, are not impacted; only private keys generated by an Android mobile device are vulnerable.

Bitcoin balances are associated with an address and the public-private cryptographic key pair; users do not have to associate an email address or user name with their currency. Whomever has the crypto key pair owns the money and can conduct transactions. Bitcoin addresses are alpha-numeric identifiers that indicate where Bitcoin currency should be moved; addresses are generated by exchanges, apps or online wallet services.

Bitcoin has caught the eye of regulators who are concerned about the anonymity of transactions and the attractiveness of virtual currencies to criminals. Today, the New York Department of Financial Services requested subpoenas on a number of Bitcoin merchants in order to examine their practices and determine their compliance with existing regulations.

“If virtual currencies remain a virtual Wild West for narcotraffickers and other criminals, that would not only threaten our country’s national security, but also the very existence of the virtual currency industry as a legitimate business enterprise,” the department’s notice of inquiry said. “Indeed is is in the common interest of both the public and the virtual currency industry to bring virtual currencies out of the darkness and into the light of day through enhanced transparency. It is vital to put in place appropriate safeguards for consumers and law abiding citizens.”

The department said its inquiry is the first step toward developing regulatory guidelines for virtual currencies and that current exchanges may not be in compliance with DFS regulations guarding money transmissions.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.