Autore: ExtremeTech

Fans of the fledgling cryptocurrency known as Bitcoin got quite a shock in recent days as some clever thieves worked out yet another method to swipe virtual cash from unsuspecting users. The source of the theft was traced to a bug in Android, and now Google has acknowledged the flaw exists. Not only could this further tarnish the reputation of Bitcoin as a secure anonymous currency, but it could spell trouble for an enormous number of other Android apps.

The Bug

Computer systems often have need of random numbers, and Android is no exception. Google has been using the Java Cryptography Architecture (JCA) ever since API version 1 when Android was released in 2008. Part of JCA is a class known as SecureRandom. You can probably guess what it’s supposed to do from the name.

urandomWhen an app invokes SecureRandom, the OS is supposed to generate a random number. This process is only secure if the output of this process in non-deterministic, at least in the practical sense — if it can be predicted, it’s useless. SecureRandom is supposed to run Android’s OpenSSL PRNG (pseudorandom number generator) with an entropy seed from /dev/urandom, a protected system root file.

However, this isn’t working correctly on most versions of Android. When an app tries to generate a random number, the urandom file is not being accessed at all. As a result, there is no random seed, making the generation process flawed from the start.

Supposedly random numbers generated using the standard SecureRandom class turn out to be slightly less random than they ought to be. Numbers output by this tool may be repeated and therefore are predictable. According to Google’s assessment of the problem, apps that explicitly read from /dev/urandom (using the setSeed function in Android) or use a separate PRNG are not affected, but very few apps bother with that. A small number do go to the trouble, though. This is the root cause of the bug that resulted in stolen Bitcoins.

The Bitcoin Caper

BTCSo how does an obscure bug in pseudorandom number generation result in stolen Bitcoins? It’s all about encryption keys. Bitcoin uses public/private key cryptography to sign all transactions. Many apps use SecureRandom to generate these wallet keys, but the bug caused them to actually reuse numbers on occasion.

As anyone that’s ever dabbled in cryptography knows, the more examples you have of a code, the easier it is to break. The public keys on Bitcoin transactions are easy to scan, which is probably what the perpetrators of this hack did. They looked for repeats in public keys, and used that data to solve for the private keys, which should only be known to the owner of the Bitcoin wallet. At that point, the attacker had the user’s Bitcoin address. It was a simple matter to transfer the money to a different account.

It’s hard to know how much money has been stolen as this bug has existed for a long time — there were reports of SecureRandom repeats several years ago. It’s possible some of the unexplained Bitcoin thefts of recent years stem from this problem. All Bitcoin enthusiasts have been able to definitively point to so far is the theft of 55 Bitcoins last week, valued at $ 5,720.

Next page: The Android Problem