A few days ago a severe vulnerability in the Android implementation of the Java SecureRandom random number generator was discovered. The result of this vulnerability is that private keys used in transactions on Android devices can be determined. All bitcoins in addresses used on Android devices need to be immediately rotated to a new address.
Bitcoin uses public/private key cryptography to sign bitcoin transactions. The security of the system relies on each address having it’s own private key that is only known by the owner of the address. If a malicious party were to gain control of the private keys associated with an address they would be able to spend any bitcoins that were sent to it.
SecureRandom is a Java class that generates cryptographically strong random numbers. In order to remain secure the random numbers used to generate private keys must be nondeterministic, meaning that the output of the generator cannot be predicted. Mike Hearn stated in an email to bitcoin developers regarding the Secure Random class on android, “Android phones/tablets are weak and some signatures have been observed to have colliding R values, allowing the private key to be solved and money to be stolen.” Bitcoin uses a random number in transaction signatures and if the same random number is reused the private key of the wallet can be determined.
Before the announcement was made, users on the bitcointalk.org forums had noticed over 55 BTC were stolen a few hours after the client improperly signed a transaction using the compromised random number generator. Users observed SecureRandom re-using the same random numbers for multiple transactions, thus compromising the private keys.
There are two types of mobile wallets, those where the private keys are generated locally on the phone, and those where private keys are held by a private company. Android wallet apps where keys are generated on the device include: Bitcoin Wallet, BitcoinSpinner, Mycellium Wallet, and Blockchain.info. Blockchain.info has already repaired the vulnerability, Bitcoin Wallet has an update in beta testing, and fixes for BitcoinSpinner and Mycellium are currently in development.
The updated version of the Bitcoin Wallet that will be released today or tomorrow has stopped using the SecureRandom class and reads instead from /dev/urandom directly. It will automatically send user’s coins to more secure addresses. The announcement on bitcoin.org identified a three step process to secure existing addresses on all other apps:
- Generate a new address on a secure random number generator.
- Transfer all existing bitcoins to the new address. Do not send any bitcoins from this address using an Android device until the updates are implemented
- Notify any users of your old address of the change, so that the compromised address does not receive any more bitcoins.