Slashdot Mirror
Google Admits Bitcoin Thieves Exploited Android Crypto PRNG Flaw
rjmarvin writes "The theft of 55 Bitcoins, or about $5,720, through Android wallet apps last week was made possible because of flaws in Android's Java and OpenSSL crypto PRNG, Google revealed in a blog post. In the wake of a Bitcoin security advisory and a Symantec vulnerability report, the Android Developers Blog admitted the reason the thieves were able to pilfer their wallet apps. The flaws are already, or in the process of being repaired."
Is it up to the OEM to backport the patch to all the various android versions that they have? If so, this vulnerability will live forever.
It's like google and its partners are building this huge botnet of vulnerable devices. Every year it gets bigger.
Google really had no incentive to screw up the random number generator that would be used by every crypto app on the platform. There are no backdoors, only honest mistakes and bugs.
This is why I wouldn't ever consider having my cell phone be something which can directly access my money.
I don't trust the makers to competently build in security, and I believe that once everyone knows your cell phone is likely to be tied to your bank account, it's a soft target.
They keep trying to find new ways to make it more 'convenient' to use these things to spend money, but 'convenient' in this case means insecure and fraught with privacy issues (and extra service fees if they can get away with it).
Same with that tap to pay mechanism ... wow, you mean anybody with my physical card can spend my money without authorization? Gee, sign me up for that.
Tech companies want to make a product or app for pretty much everything -- and a lot of them I find myself asking "who would want that?".
Now, mind the steps while you're leaving my lawn, and don't trip on the sprinkler.
Lost at C:>. Found at C.
FTFA: security researchers from Symantec issued a report on upwards of 360,000 apps using the SecureRandom class, containing the PRNG flaw in Bitcoinâ(TM)s Elliptic Curve Digital Signature Algorithm (ECDSA).
May give a potential indication at the sheer number of applications affected by this exploit (which is programmer negligence apparently). Drilling into the Symantec article reveals how they arrived at that number.
we have found over 360,000 applications that make use of SecureRandom and over 320,000 of them use SecureRandom in the same way the bitcoin wallets did (they did not call setSeed).
Join the Slashcott! Feb 10 thru Feb 17!
You know, it's not even bitcoin.
The entire crypto on the platform is vulnerable from the looks of it.
So, I would assume if there were other digital wallet type things on Android, they would be subject to the exact same vulnerability.
Lost at C:>. Found at C.
Everyone is focused on BitCoin, but did this flaw also weaken SSL connections?
I applaud Google's admission, but sad to note that that the argument will embolden those who've been touting the "fact" that iOS is more secure than Android.
I guess one cannot be blamed for saying, "So much for the so called secure open nature of Android."
It just doesn't seem to work...or does it?
I'm so glad they're going to start regulating bitcoin. I mean, somebody ran off with $5,720! Monstrous!
That's why I keep my money in safe, secure U.S. dollars and in the stock market, where you don't have to worry about dangerous criminals absconding with your savings.
We don't have a state-run media we have a media-run state.
True random numbers are as simple as a reversed Zener diode connected to an A/D converter... quantum tunneling across the diode creates truly random signal, equivalent to thermal noise.
So why isn't every CPU nowadays equipped with this, so that the RND function is done in hardware?
-- Insert witty one-liner here. --
...and will reach the majority of Android users in the next 3-5 years.
...and nothing of value was lost.
The bitcoin wallets were already fixed. Now the problem is with everything else...
Hence why all my Android and iOS devices run a VPN (using the OpenVPN app which works great on both). Of course, the network at the VPN end-point isn't necessarily more secure, but it will be far more secure than all the networks in-between.
The real question here is... will Google at LEAST update all the phones and pads under their own control? Motorola and Nexus updates, please!
-Matt
You can only blame yourselves !! Leave OS design and implementation to the professionals; there is only one name that can be trusted: MicroSoft !!
No, it means that devs jumped on the problem as soon as it was revealed, and at least the Android wallet I use has already been patched, and a new bitcoin address automatically created to secure my precious .0006BTC. I assume that's the case for most, if not all, Android wallets.
Nothing you said was true. so you might want to consider the possibility that you don't know what you're talking about and are spreading FUD.
Someone released an app on XDA, called Seeder, that purports to create entropy to seed the random number generator. Does this have anything to do with that app, or the bug that prompted the developer to write it? I remember when people were discussing the original app (which some people say only has a placebo effect), and they were saying it had security implications...does it make this problem worse or better?
Stasis is death. Embrace change.
Including the majority of Android phones, which won't ever be upgraded due to stupid carriers.
Including most being sold today.
#Winning
This is not an OpenSSL-flaw. Proper initialization of a CPRNG is critical and the OpenSSL documentation states that. The choice of OpenSSL is however especially bad with a bad initialization, as the OpenSSL CPRNG does not continue to seed the generator with additional entropy during its operation, unlike /dev/random or /dev/urandom. Google messed up spectacularly in two regards:
1. They had nobody that understood secure random number generation on the team
2. They did not have their solution independently reviewed by a competent 3rd party
They also selected a CPRNG especially vulnerable to bad seeding and did not use a source of good seeding readily available.
These mistakes are on low amateur level when implementing cryptographic functionality. The dangers of bad CPRNG seeding have been well understood for decades. This looks like the all-to-often found mixture of incompetence and arrogance.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
If the phones used an Intel SOC, with the RdRand instruction, this would not have happened, because the phone would have over 100MBytes/s of cryptographically secure random numbers from an on chip TRNG, available to software through a single instruction.
ARMs are limited in ways other than just being slow. When it comes to security, these things matter.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
It's okay though, with Android you can just write your own PRNG and change all the other software to use it, then you'll be good to go.
Oh, so those 2% of Android devices which are running the latest Droid OS can breathe easy now...
They were misusing the NSA hole in the Android crypto. Smells like inhouse job, maybe Snowden gave the heads up.
So what that means is that they aren't repaired, and they will start working on it at some point. Thats a ridiculously wishy-washy statement that has no actual meaning.
This is what you get for playing with bit coin. When are you going to learn?
The articles says "flaws". That's plural, as in more than 1 flaw. So some of them have already been patched, others are currently being patched. It's really not that difficult to understand the meaning. The only thing wishy-washy is your attention span.
I assure you, he was casting aspersions on all digital wallet type things, not just bitcoin. Bitcoin advocates love to tout how awesomely anonymous and secure and perfect and futuristic it is. Then scams and simple robberies like this happen all the time, and normal people say "caveat emptor, you fool" while the mouthbreathers insist that "It's not a problem with BITCOIN per se! Bitcoin is still great! Bittcoin 4eva!"
My last pay check was $8500 working 10 hours a week online. My younger brother friend has been averaging 12k for months now and he works about 22 hours a week. I can't believe how easy it was once I tried it out. This is what I do, RUN33.COM
Destiny is not a matter of chance; it is a matter of choice. It is not a thing to be waited for; it is a thing to be achieved.
Or rather the Java libraries and their documentation. My guess is that nobody working on this application even noticed that they did seed SecureRandom wrongly. At the same time, making sure this class is always seeded securely (which the spec would allow and would cause negligible overhead) would have been the right thing to do. But after looking at the problem in more detail, I am not so sure anymore this mistake by Google is the root-cause. It is also quite possible that Java programmers in general have stopped caring how classes do things internally, as long as they seem to work. The documentation for the Java crypto API is certainly convoluted and uninformative enough to be rather painful to read and left me wondering what the different methods actually do.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
BitCoin, SchmitCoin!
If this is the kind of stunt being pulled off, it a'int no BitCoin that I worry about.
GooglePay from Android phones. There's where you can make your pennyshaving pay big rewards.
I would run over my phone with a truck, before trusting Android with real account information.
"Flyin' in just a sweet place,
Never been known to fail..."
Bitcoin is pretty awesome/interesting. Its experimental as well, so of course there will be bumps in the road. This is the first time open source beat closed source to a market, stop hating on it.
How long until Google lawyers will claim that Android users have no expectation of security?
I don't trust the makers to competently build in security, and I believe that once everyone knows your cell phone is likely to be tied to your bank account, it's a soft target.
A sensible and cautious approach. However it isn't all doom and gloom. To encourage customers to use online banking the banks largely have indemnified users against loss due to unauthorized access. The details vary but you typically can get your money back because it is insured or guaranteed by the bank. Might cause a lot of inconvenience but it's doable. It's not really any more or less secure than accessing your bank through a web browser on a PC. Not to say you couldn't be hacked or have some problems but in practical terms it is a manageable problem in practice.
Frankly the soft target isn't your phone, it is your online user name and password. THAT is the point where most people fall down. Why bother breaking they crypto when you can just social engineer or guess your way into the account? Not to say you shouldn't be concerned about the strength of the crypto but it's not what keeps me up at night.
That said if you have an account with a lot of money in it, it isn't a bad idea to isolate that account from the web if practical. You really only need access to a relatively small amount of cash at any given time so why give online thieves an opportunity if you don't truly need online access to the account? I also think debit cards are the work of the devil. A credit card is fine and an ATM card is ok but debit cards are WAY too easy to abuse. If you have a credit card I cannot fathom why you would ever use a debit card.
This certainly affects Bitcoin the most, but a random number generator that actually produces the same "random" numbers is hardly random at all, and could present a serious problem for all types of applications. In fact, that's a thoroughly-broken random number generator and all crypto-related operations could be hosed. I'm wondering how such an egregious PRNG/seeding-algo made it this long without someone noticing. Maybe it's because Bitcoin provides a financial incentive to find these flaws, and honestly it's pretty easy to spot it from a one-minute blockchain scan -- just look for two transactions with identical r-values, plug it into the stupid-simple equation, and then steal the money.
This has actually come up in the Bitcoin space before: people were rolling-their-own-ECDSA for constructing and signing transactions, and were not aware of the importance of using different random numbers for every signature. As such, about a year ago someone did an identical blockchain search and was able to steal coins the exact same way: but it was due to script-kiddie ignorance. It was assumed this problem would go away when you start using the system PRNG, and taught people a lesson about rolling-their-own-crypto. Even if it's a weak system PRNG, the ECDSA signatures are fairly strong as long as the numbers are different between signatures. Apparently this was more than just "weak" though...
For Android/mobile, the answer is to leverage the variety of sensors that are on-board. Using the low bits of accelerometer output should work great for seeding a PRNG if someone is actually holding the phone. If not, snap an image or take a quarter-second audio recording should suffice. There's enough noise on the camera and microphone that the hash of the output should be different even if it's sitting camera down in a quiet room. A lot of times you only 32-bytes of entropy, and a single image with 5 million pixels can give you an order of magnitude more than that just from the random variations in sensor output in a dark room.
Just one.
OK then, what does that imply for you ? It's in the current nature of Bitcoin that all your Bitcoins ARE in one basket and you should disaster plan accordingly.
This is Google we're talking about. The company which openly says you have no privacy.
This is more proof of their stance.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
Bitcoin is pretty awesome/interesting.
Yeah, so what? Some people think basket weaving is awesome/interesting.
This is the first time open source beat closed source to a market, stop hating on it.
On something a majority of people wisely don't use or care about. But, yes, continue to pay yourself on the back.
Why are files from one app available to another?
I'll give you that it's interesting. I wouldn't call it awesome, except to say that I'm often awestruck at how relentlessly unscrupulous the bitcoin community remains at every turn. What market is it, exactly, that bitcoin is first to? It's not the first currency to be exchanged nor stored anonymously. It's not the first solution for online person to person or e-commerce payments. It's not the first virtual currency to be exchangeable for real money. Etc. What has bitcoin done besides assert its own value on the premise that it will somehow be the future of worldwide finance?
Yeah, so what? Some people think basket weaving is awesome/interesting.
That's probably because it is.
Ezekiel 23:20
It's okay though, with Android you can just write your own PRNG and change all the other software to use it, then you'll be good to go.
It's even better than that though. You can write it; but Google carefully thought to protect you from actually deploying it by putting Android under the Apache license which means that your phone manufacturer can lock down your bootloader to protect you from actually changing anything. Just think of all the people who might end up putting insecure random number generators into their phone and screwing their security if Google had used, for example, the GPLv3.
All hail the all knowing and all wise Google.
(I will admit that at least Google's own Nexus devices don't really do this; but why spoil a good rant with facts.. )
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
I assure you, he was casting aspersions on all physical assets, not just gold. Gold advocates love to tout how awesomely anonymous and secure and perfect and futuristic it is. Then scams and simple robberies like this happen all the time, and normal people say "caveat emptor, you fool" while the mouthbreathers insist that "It's not a problem with GOLD per se! Gold is still great! Golld 4eva!"
FTFY. The advantage with Bitcoin and similar monetary systems isn't that it's magically immune to theft by granting perfect security. The advantage is that users must pay for and deal with their own security. Had there been a similar flaw in a traditional banking app, the victims would have been reimbursed at everyone else's expense. Your victimization actually is "happening all the time" - your bank account is losing value due to theft right now.
What has bitcoin done besides assert its own value on the premise that it will somehow be the future of worldwide finance?
Uh, succeed?
it's in the god damn android PRNG initialization of Android and yes, it applies to their Nexus devices though when it's fixed, it will at least be fixed on them.
Mod me up/Mod me down: I wont frown as I've no crown
It's the first (semi-) widely used digital currency.
It's not the first solution for online person to person or e-commerce payments.
All previous methods relied on a trusted central authority to prevent "double spending", so they arguably weren't person to person... they were person to money transmitter to person. Bitcoin is 100% p2p, no need to trust a central authority for anything whatsoever.
? It's not the first currency to be exchanged nor stored anonymously.
This is true because Bitcoin is not really designed for anonymous exchange. All transactions are public and many points on transactions are publicly known. You have to try pretty hard to be anonymous.
What has bitcoin done besides assert its own value on the premise that it will somehow be the future of worldwide finance?
What Bitcoin added is lack of a single point of centralised control or even distribution. It is a pretty neat cryptographic design which has actually been implemented in real life. Up until recently, the NSA could probably have taken over and destroyed Bitcoin at any time, but since there seem to be quite a number of ASIC miners working now probably even the NSA doesn't have the compute power to do that and so there's no real way to put Bitcoin back into centralised control.
There was nothing before Bitcoin that achieved all that.
Having said that, if someone could do the same but with proper anonymity and some other desirable characteristics there's nothing to say that Bitcoin won't be swapped out some time in the future. No idea what that would do to the value of a Bitcoin. Probably depends on the value of the Bitcoin holdings of the guy who designs the future.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
I won't bother /.3rz, of all beings, with the all too obvious Heinlein quote(s).
Suffice it to comment that without all the spammers, jammers, thieves, and assorted low-lifes, a whole dump of vulnerabilities and back-doors would still be happily ticking away out there, just waiting for (and on) big brothers' (state, corporate, private, "religious") sadistic corrupt whims.
BTW do you keep all your eggs in one wallet?
Time to wonder about rolling your own embedded linux, HURD, etc.? Naaah!
The "fix" for this problem is no good. Look at the code.
DataOutputStream seedBufferOut = new DataOutputStream(seedBuffer);
seedBufferOut.writeLong(System.currentTimeMillis());
seedBufferOut.writeLong(System.nanoTime());
seedBufferOut.writeInt(Process.myPid());
seedBufferOut.writeInt(Process.myUid());
seedBufferOut.write(BUILD_FINGERPRINT_AND_DEVICE_SERIAL);
seedBufferOut.close();
How well can we predict those values?
For a program which is initialized when the machine starts, quite well. BUILD_FINGERPRINT_AND_DEVICE_SERIAL is a commonly used device identifier, and is probably being sent in by some apps that "phone home". No entropy there. CurrentTimeMillis is the time and date the machine was powered up. If you guess that was in the last day or so, you'll get a reasonable number of phones. The same is true of nanoTime(), which only has a resolution of milliseconds on Android. Worse, if the crypto library is always initialized shortly after boot, that will always be a small number. MyUID? Probably not too many of those on a phone. MyPid? This is being captured once at startup, so it's probably one of a small number of values.
The easiest attack would be to look for new connections coming from people in airports or leaving movie theaters. They're likely to have just powered up their phone, so nanoTime and myUID are small numbers, and you know roughly what the time was when they powered up. They won't have made many connections yet, so they're near the beginning of the PNG's stream. So the keyspace you have to search isn't that large.
That code almost looks like it was designed to be cryptographically weak. There's not a single source of real randomness there.
Actually, it almost certainly means that an engineer got told about it, and has claimed that he has fixed it, however, their integration and testing juggernaughts have not yet got round to confirming that it's fixed, and the release schedule doesn't allow for them to send it out right this second.
The advantage with Bitcoin and similar monetary systems isn't that it's magically immune to theft by granting perfect security. The advantage is that users must pay for and deal with their own security. Had there been a similar flaw in a traditional banking app, the victims would have been reimbursed at everyone else's expense. Your victimization actually is "happening all the time" - your bank account is losing value due to theft right now.
OH MY FUCKING GOD MIND BLOWN I WILL TAKE ALL MY MONEY OUT OF MY BANK AND BUY BITCOINS!!!!1!1!!
Wait, no, I won't. The "value loss" I effectively pay to the bank is how I pay for security, you asshat.
I realize that it's a matter of faith to libertarians that the world will magically get better if everyone has to be their own police force and army, but the real world doesn't work that way. Study some basic economics (a topic most libertarians are woefully ignorant about despite boasting about how economically intelligent they are) and maybe it'll eventually sink in that specialization increases economic productivity at both the individual and societal level. Securing your own money and property is an example of this -- I will not be better off if I spend lots of my time and attention on money and the protection thereof rather than doing things that I am good at and interested in (in my case, electrical engineering).
it's in the god damn android PRNG initialization of Android and yes, it applies to their Nexus devices though when it's fixed, it will at least be fixed on them.
Please read through my post again. The thing which doesn't apply to a Nexus is the boot loader protection which "protects" you from fixing the Android PRNG yourself (on a Nexus, you can even install alternate ROMS that you can compile yourself). You might also want to note my signature.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
the following extract is from the jdk 1.4.2 javadoc, bold is mine :
By using this constructor, the caller obtains a SecureRandom object containing the implementation from the highest-priority installed provider that has a SecureRandom implementation.
Note that this instance of SecureRandom has not been seeded. A call to the setSeed method will seed the SecureRandom object. If a call is not made to setSeed, the first call to the nextBytes method will force the SecureRandom object to seed itself.
This constructor is provided for backwards compatibility. The caller is encouraged to use one of the alternative getInstance methods to obtain a SecureRandom object.
So, I would assume if there were other digital wallet type things on Android, they would be subject to the exact same vulnerability.
Unless they open an SSL/TLS connection prior to generating random numbers, or if they aren't dependent on randomness for security (unlikely).
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Normal money works for you. Bitcoin works for some people.
What's wrong with that?
I have some imaginary bridges to sell.
Can I have a list and phone numbers of these people who actually trade real money for these 'bitcoin' things ???
Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android are also affected
The entire crypto on the platform is vulnerable from the looks of it.
That's bad, but it sounds like there's an easy fix. It seems the issue isn't actually with the crypto implementation, but with the initial seed for the randomiser. There are plenty of PRNG libraries for most programming languages, and on a mobile device, there's likely to be other ways of generating entropy - sampling radio static or some such.
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
The advantage with Bitcoin and similar monetary systems isn't that it's magically immune to theft by granting perfect security. The advantage is that users must pay for and deal with their own security. Had there been a similar flaw in a traditional banking app, the victims would have been reimbursed at everyone else's expense. Your victimization actually is "happening all the time" - your bank account is losing value due to theft right now.
OH MY FUCKING GOD MIND BLOWN I WILL TAKE ALL MY MONEY OUT OF MY BANK AND BUY BITCOINS!!!!1!1!!
Wait, no, I won't. The "value loss" I effectively pay to the bank is how I pay for security, you asshat.
I realize that it's a matter of faith to libertarians that the world will magically get better if everyone has to be their own police force and army, but the real world doesn't work that way. Study some basic economics (a topic most libertarians are woefully ignorant about despite boasting about how economically intelligent they are) and maybe it'll eventually sink in that specialization increases economic productivity at both the individual and societal level. Securing your own money and property is an example of this -- I will not be better off if I spend lots of my time and attention on money and the protection thereof rather than doing things that I am good at and interested in (in my case, electrical engineering).
Why do people always think we expect to blow your minds, or that bitcoin is perfect? I didn't insult you.
Anyways, FWIW I did study some basic economics. You're ignoring the "principal-agent problem" and transaction costs with banks - you have to actually understand how they work and what they do if you don't want to get screwed out of a bunch of money. Do you hire someone to cook all your meals for you and drive you around too, doing no labor whatsoever but electrical engineering? Do bankers hire you to plug their home appliances into electrical sockets? Of course not, because there are some simple things that everyone should be able to do - a cold wallet on a secure machine isn't one of them yet, but as a technical person it's already within your ability.
I'm a mechanical engineer myself, but it seems painfully obvious even to me that the banks aren't trustworthy and should be cut out of the picture. If you honestly think they're giving you a good deal, by all means keep toiling away in the electricity mines until they tell you that you can retire. You're screaming "Stockholm Syndrome" at everyone.