[ANNOUNCE] Android key rotation

[n4ru]

Just wondering, would this affect Electrum as well?

I m asking as it uses Google Scripting Layer & Python for Android

http://electrum.org/android.html

The issue appears to be in the java implementation of secureRandom that Google uses.

[1714146042]

1714146042

[Mike Hearn]

Re: Electrum. I don't know how Electrum on Android does signing. It might well have a similar problem, especially if it uses OpenSSL.

[Andreas Schildbach]

Re: Electrum. I don't know how Electrum on Android does signing. It might well have a similar problem, especially if it uses OpenSSL.

At least its not running on Java, afaik. So it can't be affected by the same issues.

[ReCat]

Thank god I have an iPhone

As far as apple is concerned. Bitcoin wallets don't exist for iOS. Security through obscurity is good, I think.

[btcsql]

Mike Hearn, you are the man now dog!

[bitcool]

How "critical" is it? Has there been any successful attack using this weakness?

[niko]

How "critical" is it? Has there been any successful attack using this weakness?

Sounds extremely critical, see links below.

done and done, thanks to you and this community for such watchfulness and timeliness with these kinds of issues.

You're joking, aren't you?

This post is over one month old, while this one over half a year...
Watchfulness my ass

[Phinnaeus Gage]

So basically, Google pulled a Sony...

So, this is the same type of attack as was Sony Playstation network hack (ECDSA random numbers not being random) - so you would expect that developers test their software for the same weakness, right?

AFAIK it is a relatively new algorithm chosen because of short signatures produced, so it might even get broken (even with working random number generators). Something should be done about that...

The exploit isn't in the algorithm, it's in generating a secure random number. It also wasn't the PSN hack, it was the PS3 hack.

With Sony, they used the same number every single time. It simply wasn't random, and was a horrible, or rather, *not* an implementation of the encryption in the right manner.

With Android, the same random number apparently comes up once in a while. Still horrible considering the money involved (probably worse), but there's only a chance to get the same random number (as opposed to guaranteed with Sony).

As I get my head wrapped around this, what comes to mind is after reading the above is that if a random number is picked from a finite set of 10K elements, e.g., a duplicate is more apt to appear then choosing a random number from a finite set of 10^100,000 elements. Does this make sense?

[kano]

Ive always thought computers could not generate random numbers.    I once won a large prize buying the last ticket before a lotto draw, computer random number generator was the source though I didnt complain at the time

Nothing can generate a random number. Us included. Only pseudo-random.

So you believe that radioactive decay is deterministic? If so, you are in the minority. Say I have two uranium atoms and one of the decays before the other, what do you think accounts for that?

Ah, that's how Apple solved it?
Their phones have uranium in them

[Xer0]

explains the price...

[ionstorm]

i randomly received .15 btc yesterday to one of my android generated addresses.  Why would I randomly get free money?  this never happened to me before, is this related to the flaw?

[Sukrim]

i randomly received .15 btc yesterday to one of my android generated addresses.  Why would I randomly get free money?  this never happened to me before, is this related to the flaw?

Most likely not, either someone wanted to give a present to you or something else happened. It is not very likely that you would get MORE funds through this issue!

[EagleTM]

Regarding Electrum:

We need to look into this further but as far as I'm aware Electrum relies on python's random implementation which is usually the operating system's PRNG. This would make running Electrum on Android vulnerable to the same vectors as described in this post for other wallets.

Even If you created the seed on another platfrom it may be possible to reveal the ECDSA private key of one of the addresses by spending (signing) multiple times from one address on Android. The seed itself should be safe.

The userbase of Electrum on Android (SL4A) is small because of the cumbersome setup. Still, if you are a user and want to be safe don't spend from Android until further news are available and secure funds from addresses which you have spent from in Android and still have funds on.

[millsdmb]

i randomly received .15 btc yesterday to one of my android generated addresses.  Why would I randomly get free money?  this never happened to me before, is this related to the flaw?

did you google the sending address?

[EagleTM]

i randomly received .15 btc yesterday to one of my android generated addresses.  Why would I randomly get free money?  this never happened to me before, is this related to the flaw?

Though unlikely I suppose if you (not so) "randomly" happened to create a collision on Android you may have gained .15 BTC of an other user and both of you could spend it. It may well be related but certainly a coincidence. Would be interesting if this is followed up...

[justusranvier]

Of course it must work multiple times - just like PGP/RSA has been working, ever since it was invented.
And nobody says that you using the same PGP key twice "should be considered negligent" - it would just defeat the purpose of a digital signature

A better analogy would compare Bitcoin addresses to session keys.

[ironfalcon]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

http://bitcoin.org/en/alert/2013-08-11-android

We recently learned that a component of Android responsible for generating secure random numbers contains critical weaknesses, that render all Android wallets generated to date vulnerable to theft. Because the problem lies with Android itself, this problem will affect you if you have a wallet generated by any Android app. An incomplete list would be Bitcoin Wallet, blockchain.info wallet, BitcoinSpinner and Mycelium Wallet.

as a former Google employee I thank you for your vigilance!

[millsdmb]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

http://bitcoin.org/en/alert/2013-08-11-android

We recently learned that a component of Android responsible for generating secure random numbers contains critical weaknesses, that render all Android wallets generated to date vulnerable to theft. Because the problem lies with Android itself, this problem will affect you if you have a wallet generated by any Android app. An incomplete list would be Bitcoin Wallet, blockchain.info wallet, BitcoinSpinner and Mycelium Wallet.

as a former Google employee I thank you for your vigilance!

How many BTC you want for that crazy hat they give you?

[grau]

The new bitcoinj release that will be announced shortly has some initial code for BIP32. It's definitely something I want to integrate. It's difficult on mobile devices because they don't have any swapfile, so you can't just use as much memory as you want. You have to define a key window in which money can be received. Coins sent to keys that fall outside that window won't show up which is obviously very problematic. All in all, it's delicate and will require some careful experimentation and testing to make it work.

The BOP android wallet to be released in conjunction with our payment solution uses BIP32.

The mobile uses the next even index of BIP32 as change and odd as next receiver addresses. The server implements a single pass scan using a BIP32 public key, that generates an increasing look ahead window from last seen address on the block chain.

[tgeller]

What about other Android wallets that are derived from Schildbach's code, such as Litecoin-Qt and Feathercoin-Qt??? I assume they have the same vulnerability. Any plans to update those?