There’s been a lot of confusion over the last few days, since bitcoin.org announced that an Android component responsible for generating secure random numbers contained a critical weakness that rendered many Android bitcoin wallets vulnerable.
There are a number of different issues that seem to have come into play to make these bitcoin wallets vulnerable.
Bitcoin uses the ECDSA algorithm to ensure that funds can only be spent by their rightful owners. The algorithm requires a random number to compute an ECDSA signature, but if two different messages are signed with the same private key and the same random number, the private key can be derived. This is a known method of attacking the algorithm and was previously used to break the security of other products, such as the PlayStation 3 master key
On the Android side, the implementation of the SecureRandom class may be vulnerable in some Android versions. Earlier this year, two researchers presented on a number of issues which they claimed affected the randomness of numbers generated by SecureRandom.
Android versions from 4.2 (Jelly Bean) and on may not be affected by these specific flaws since SecureRandom was reimplemented
Certain bitcoin wallets applications using Android’s SecureRandom signed multiple transactions using an identical ‘random’ number. Since transactions are public on the bitcoin network, attackers scanned the transaction block chain looking for these particular transactions to retrieve the private key and transfer funds from the bitcoin wallet without the owner’s consent.
Other Android apps may be vulnerable to similar attacks depending on how they implement SecureRandom. Looking at Norton Mobile Insight data, we have found over 360,000 applications that make use of SecureRandom and over 320,000 of them use SecureRandom in the same way the bitcoin wallets did (they did not call setSeed). The type of applications affected are almost uniformly distributed:
Figure. Affected application distribution
We strongly advise users of Android bitcoin wallet apps to check whether their applications are affected, and to follow the steps outlined by bitcoin.org to make their funds safe. We would also like to advise Android developers to stay tuned and review their cryptographic implementations based on SecureRandom and evaluate whether this could pose a security risk.