n4ru
|
|
August 11, 2013, 09:09:07 PM |
|
The issue appears to be in the java implementation of secureRandom that Google uses.
|
|
|
|
Mike Hearn (OP)
Legendary
Offline
Activity: 1526
Merit: 1134
|
|
August 11, 2013, 09:09:19 PM |
|
Re: Electrum. I don't know how Electrum on Android does signing. It might well have a similar problem, especially if it uses OpenSSL.
|
|
|
|
Andreas Schildbach
|
|
August 11, 2013, 09:16:25 PM |
|
Re: Electrum. I don't know how Electrum on Android does signing. It might well have a similar problem, especially if it uses OpenSSL.
At least its not running on Java, afaik. So it can't be affected by the same issues.
|
|
|
|
ReCat
|
|
August 11, 2013, 09:32:09 PM |
|
Thank god I have an iPhone As far as apple is concerned. Bitcoin wallets don't exist for iOS. Security through obscurity is good, I think.
|
BTC: 1recatirpHBjR9sxgabB3RDtM6TgntYUW Hold onto what you love with all your might, Because you can never know when - Oh. What you love is now gone.
|
|
|
btcsql
|
|
August 11, 2013, 09:35:41 PM |
|
Mike Hearn, you are the man now dog!
|
|
|
|
bitcool
Legendary
Offline
Activity: 1441
Merit: 1000
Live and enjoy experiments
|
|
August 11, 2013, 10:35:07 PM |
|
How "critical" is it? Has there been any successful attack using this weakness?
|
|
|
|
niko
|
|
August 11, 2013, 10:44:24 PM |
|
How "critical" is it? Has there been any successful attack using this weakness?
Sounds extremely critical, see links below. done and done, thanks to you and this community for such watchfulness and timeliness with these kinds of issues.
You're joking, aren't you? This post is over one month old, while this one over half a year... Watchfulness my ass
|
They're there, in their room. Your mining rig is on fire, yet you're very calm.
|
|
|
Phinnaeus Gage
Legendary
Offline
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
|
|
August 11, 2013, 10:48:08 PM |
|
So basically, Google pulled a Sony... So, this is the same type of attack as was Sony Playstation network hack (ECDSA random numbers not being random) - so you would expect that developers test their software for the same weakness, right? AFAIK it is a relatively new algorithm chosen because of short signatures produced, so it might even get broken (even with working random number generators). Something should be done about that... The exploit isn't in the algorithm, it's in generating a secure random number. It also wasn't the PSN hack, it was the PS3 hack. With Sony, they used the same number every single time. It simply wasn't random, and was a horrible, or rather, *not* an implementation of the encryption in the right manner. With Android, the same random number apparently comes up once in a while. Still horrible considering the money involved (probably worse), but there's only a chance to get the same random number (as opposed to guaranteed with Sony). As I get my head wrapped around this, what comes to mind is after reading the above is that if a random number is picked from a finite set of 10K elements, e.g., a duplicate is more apt to appear then choosing a random number from a finite set of 10 100,000 elements. Does this make sense?
|
|
|
|
kano
Legendary
Offline
Activity: 4620
Merit: 1851
Linux since 1997 RedHat 4
|
|
August 11, 2013, 11:22:06 PM |
|
Ive always thought computers could not generate random numbers. I once won a large prize buying the last ticket before a lotto draw, computer random number generator was the source though I didnt complain at the time
Nothing can generate a random number. Us included. Only pseudo-random. So you believe that radioactive decay is deterministic? If so, you are in the minority. Say I have two uranium atoms and one of the decays before the other, what do you think accounts for that? Ah, that's how Apple solved it? Their phones have uranium in them
|
|
|
|
Xer0
|
|
August 11, 2013, 11:52:53 PM |
|
explains the price...
|
|
|
|
ionstorm
|
|
August 12, 2013, 12:58:34 AM |
|
i randomly received .15 btc yesterday to one of my android generated addresses. Why would I randomly get free money? this never happened to me before, is this related to the flaw?
|
|
|
|
Sukrim
Legendary
Offline
Activity: 2618
Merit: 1007
|
|
August 12, 2013, 01:05:01 AM |
|
i randomly received .15 btc yesterday to one of my android generated addresses. Why would I randomly get free money? this never happened to me before, is this related to the flaw?
Most likely not, either someone wanted to give a present to you or something else happened. It is not very likely that you would get MORE funds through this issue!
|
|
|
|
EagleTM
Newbie
Offline
Activity: 46
Merit: 0
|
|
August 12, 2013, 01:10:25 AM |
|
Regarding Electrum:
We need to look into this further but as far as I'm aware Electrum relies on python's random implementation which is usually the operating system's PRNG. This would make running Electrum on Android vulnerable to the same vectors as described in this post for other wallets.
Even If you created the seed on another platfrom it may be possible to reveal the ECDSA private key of one of the addresses by spending (signing) multiple times from one address on Android. The seed itself should be safe.
The userbase of Electrum on Android (SL4A) is small because of the cumbersome setup. Still, if you are a user and want to be safe don't spend from Android until further news are available and secure funds from addresses which you have spent from in Android and still have funds on.
|
|
|
|
millsdmb
|
|
August 12, 2013, 01:12:56 AM |
|
i randomly received .15 btc yesterday to one of my android generated addresses. Why would I randomly get free money? this never happened to me before, is this related to the flaw?
did you google the sending address?
|
|
|
|
EagleTM
Newbie
Offline
Activity: 46
Merit: 0
|
|
August 12, 2013, 01:15:21 AM |
|
i randomly received .15 btc yesterday to one of my android generated addresses. Why would I randomly get free money? this never happened to me before, is this related to the flaw?
Though unlikely I suppose if you (not so) "randomly" happened to create a collision on Android you may have gained .15 BTC of an other user and both of you could spend it. It may well be related but certainly a coincidence. Would be interesting if this is followed up...
|
|
|
|
justusranvier
Legendary
Offline
Activity: 1400
Merit: 1013
|
|
August 12, 2013, 01:25:27 AM |
|
Of course it must work multiple times - just like PGP/RSA has been working, ever since it was invented. And nobody says that you using the same PGP key twice "should be considered negligent" - it would just defeat the purpose of a digital signature A better analogy would compare Bitcoin addresses to session keys.
|
|
|
|
ironfalcon
Newbie
Offline
Activity: 16
Merit: 0
|
|
August 12, 2013, 01:55:03 AM |
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 http://bitcoin.org/en/alert/2013-08-11-androidWe recently learned that a component of Android responsible for generating secure random numbers contains critical weaknesses, that render all Android wallets generated to date vulnerable to theft. Because the problem lies with Android itself, this problem will affect you if you have a wallet generated by any Android app. An incomplete list would be Bitcoin Wallet, blockchain.info wallet, BitcoinSpinner and Mycelium Wallet. as a former Google employee I thank you for your vigilance!
|
|
|
|
millsdmb
|
|
August 12, 2013, 02:08:16 AM |
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 http://bitcoin.org/en/alert/2013-08-11-androidWe recently learned that a component of Android responsible for generating secure random numbers contains critical weaknesses, that render all Android wallets generated to date vulnerable to theft. Because the problem lies with Android itself, this problem will affect you if you have a wallet generated by any Android app. An incomplete list would be Bitcoin Wallet, blockchain.info wallet, BitcoinSpinner and Mycelium Wallet. as a former Google employee I thank you for your vigilance! How many BTC you want for that crazy hat they give you?
|
|
|
|
grau
|
|
August 12, 2013, 03:17:53 AM |
|
The new bitcoinj release that will be announced shortly has some initial code for BIP32. It's definitely something I want to integrate. It's difficult on mobile devices because they don't have any swapfile, so you can't just use as much memory as you want. You have to define a key window in which money can be received. Coins sent to keys that fall outside that window won't show up which is obviously very problematic. All in all, it's delicate and will require some careful experimentation and testing to make it work.
The BOP android wallet to be released in conjunction with our payment solution uses BIP32. The mobile uses the next even index of BIP32 as change and odd as next receiver addresses. The server implements a single pass scan using a BIP32 public key, that generates an increasing look ahead window from last seen address on the block chain.
|
|
|
|
tgeller
Newbie
Offline
Activity: 6
Merit: 0
|
|
August 12, 2013, 03:31:12 AM |
|
What about other Android wallets that are derived from Schildbach's code, such as Litecoin-Qt and Feathercoin-Qt??? I assume they have the same vulnerability. Any plans to update those?
|
|
|
|
|