Android Vulnerability Found to Be Culprit in Bitcoin Theft

Operating system vulnerabilities are just a fact of life. However, while the Wi-Fi exploit recently discovered in Windows Phone (News - Alert) is a pretty typical example of the type of issue likely to pop up, it can sometimes get a little weirder and more specific.

Take, for example, a cryptographic vulnerability recently confirmed by Google (News - Alert) developers in Android. This vulnerability is able to generate “serious security glitches on hundreds of thousands of end user apps,” according to Ars Technica, which already sounds serious enough without factoring in that many of those apps can make bitcoin transactions.

This is noteworthy because this weakness in Android’s (News - Alert) Java Cryptography Architecture has been discovered as the root cause of a recent bitcoin transaction that resulted in the theft of nearly $6,000 worth of bitcoins out of a digital wallet. This was acknowledged in a blog post by Google security engineer Alex Klyubin, who warned that other apps might be compromised as well unless they change the way they access pseudo random number generators (PRNGs).

"We have now determined that applications which use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices due to improper initialization of the underlying PRNG," states the post. "Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android are also affected.”

Meanwhile, apps that use the HttpClient and java.net classes to establish encrypted connections aren’t vulnerable.

PRNGs are a key aspect of many cryptographic applications as they help computers produce long numbers that are impossible to predict. They also help ensure that the keys used to encrypt or digitally sign data can’t be cracked easily.

Unfortunately, the Android apps that were exploited in the bitcoin thefts may have been using the same number to sign numerous transactions, which the apps thought was random, according to Symantec (News - Alert). Transactions are public, meanwhile, on the bitcoin network, allowing attackers to scan the transaction block chain to look for those transactions, retrieve the private key, and transfer funds from bitcoin wallets without the owners’ knowledge or consent.