After the discovery of a severe vulnerability in the Android implementation of the Java SecureRandom (a random number generator), Bitcoin.org is warning every user to the immediate necessity of rotating to a new address.
As a result of this vulnerability, the private keys used to operate and sign the cryptocurrency transactions on Android devices can be determined. Since the security of the system depends on the fact that each address has its own private key, which is only known by the owner of the address, this makes it easier for a malicious party to unduly spend the coins.
Everything started when users on the bitcointalk.org forums noticed than more than 55 BTC had been stolen a few hours after the client allegedly “signed” a transaction using the compromised Java SecureRandom. After the first alert, the users acknowledged the problem: they observed that SecureRandom was re-using the same random numbers for multiple transactions, which means it was compromising the private keys and putting the users’ Bitcoins at risk.
So, this Sunday (11), Bitcoin.org made an official announcement:
We recently learned that a component of Android responsible for generating secure random numbers contains critical weaknesses, that render all Android wallets generated to date vulnerable to theft. Because the problem lies with Android itself, this problem will affect you if you have a wallet generated by any Android app.
An incomplete list would be blockchain.info wallet, BitcoinSpinner, Bitcoin Wallet and Mycelium Wallet. Apps where you don’t control the private keys at all are not affected. For example, exchange frontends like the Coinbase or Mt Gox apps are not impacted by this issue because the private keys are not generated on your Android phone.
In order to assure you won’t get caught by this vulnerability, Bitcoin.org is recommending key rotation to secure the existing wallets. “This involves generating a new address with a repaired random number generator and then sending all the money in your wallet back to yourself. If you use an Android wallet then we strongly recommend you to upgrade to the latest version available in the Play Store as soon as one becomes available. Once your wallet is rotated, you will need to contact anyone who has stored addresses generated by your phone and give them a new one”, explains the organization.
In the meanwhile, updates are being prepared for some wallet apps: Bitcoin Wallet‘s update is in beta testing now, BitcoinSpinner’s update is also being prepared, Mycelium Wallet vo.6.5 can already be installed from Google Play or mycelium.com and the update of blockchain.info is also being prepared.
According to Bitcoin.org, “if you use Bitcoin Wallet by Andreas Schildbach, the key rotation will occur automatically soon after you upgrade. The old addresses will be marked as insecure in your address book. You will need to make a fresh backup”. This update has stopped using the SecureRandom class: instead, it reads from /dev/urandom directly.
Via bitcoin.org and thegenesisblock.com