Why Bitcoin users using Android wallet apps need to upgrade
A flaw in the way Android generates "random" numbers has made many Bitcoin wallets hosted on Android smartphones insecure, Bitcoin developers have said.
On Sunday Bitcoin.org, which is maintained by the crypto-currency's community, warned that any wallet generated by an Android app was vulnerable to theft. Apps such as Bitcoin Wallet and Mycelium Wallet were affected and are currently being updated. The problem was flagged up by Google security engineer Mike Hearn.
Loose key
Quick cryptography primer: so-called public key cryptography (also the basis for end-to-end email security) involves paired public and private keys, with the public key being the one you show someone else so they can send you an encrypted message, and the private key being the one you hang onto in order to decode what is sent.
Bitcoin uses a similar system. To generate an "address" so someone else can send you bitcoins, a random number is used to create a public/private key pair via algorithm. The public key is then transmogrified by further operations into a recognisable Bitcoin address (starting with a 1 or 3), and the private key makes it possible to use funds held at that address.
Addresses and their associated private keys are generally stored in software "wallets". Some people use hosted wallet services such as Coinbase, while others choose to keep their wallets on their desktop computers or phones. The people potentially affected in this case would be those who use a wallet app on their Android smartphones to generate and use their Bitcoin addresses and the associated private keys.
Bad repetition
The problem lies in the Android's built-in pseudorandom number generator, the SecureRandom Java class. (Proper hardware random number generators are slow and expensive specialist components.) It turns out this generator has a bug that causes it to sometimes issue the same number twice - which makes it possible to work backwards to figure out the private key.
If you know what someone's private key is, you can get effectively into their wallet. This is not a theoretical hazard: some Bitcoin users have recently reported small thefts that were enabled by the earlier reuse of a supposedly random number.
The advice for users of Android Bitcoin wallet apps is to download the latest version (which should use a different pseudorandom number generator), generate a new Bitcoin address, send all personal funds to that address, and let contacts know what the new address is.
Related research
Subscriber Content
?Subscriber Content comes from GigaOM Pro, a revolutionary approach to market research without the high price tag. Visit any of our reports to subscribe. Survey: How apps can solve photo management Analyzing the wearable computing market Carrier IQ and the continued erosion of operator trust
By David Meyer
Like this post? Share it!
Follow @superglaze or@gigaom for more stories like this.
Get top stories delivered daily. Subscribe
You're subscribed to our newsletter. If you'd like, you can update your settings
Join the conversation
Advertisement
Related stories Samsung Galaxy Note 3 reported to use huge 3450mAh battery
A new report tips a 3450mAh battery for the Samsung Galaxy Note 3 -- the largest battery...
Android this week: Moto X reviewed; LG G2 debuts; Asus tapped for new Nexus 10?
After a week of using the Moto X, I found that it's a very compelling phone. So...
Like AirPlay for Android: Cyanogenmod hack brings Chromecast to all of your apps
Cyanogenmod developer Koushik Dutta managed to bring Chromecast support to any app that uses Android's default media...
Harga Laptop
Ditulis oleh Unknown
Rating Blog 5 dari 5
0 komentar:
Posting Komentar