Forgot your password?
typodupeerror
Bitcoin Android Bug Security

Google Admits Bitcoin Thieves Exploited Android Crypto PRNG Flaw 183

Posted by timothy
from the oopsie dept.
rjmarvin writes "The theft of 55 Bitcoins, or about $5,720, through Android wallet apps last week was made possible because of flaws in Android's Java and OpenSSL crypto PRNG, Google revealed in a blog post. In the wake of a Bitcoin security advisory and a Symantec vulnerability report, the Android Developers Blog admitted the reason the thieves were able to pilfer their wallet apps. The flaws are already, or in the process of being repaired."
This discussion has been archived. No new comments can be posted.

Google Admits Bitcoin Thieves Exploited Android Crypto PRNG Flaw

Comments Filter:
  • by mveloso (325617) on Thursday August 15, 2013 @01:32PM (#44575411)

    Is it up to the OEM to backport the patch to all the various android versions that they have? If so, this vulnerability will live forever.

    It's like google and its partners are building this huge botnet of vulnerable devices. Every year it gets bigger.

    • by Baloroth (2370816) on Thursday August 15, 2013 @01:51PM (#44575605)

      The flaw can be fixed at the application level by manually initializing the PRNG with entropy from /dev/random or /dev/urandom (the built-in tool wasn't doing that properly unless explicitly told to, hence the vulnerability). Some apps will already be immune, and the rest can be patched to fix the problem. An update to Android proper is not required, unless the app isn't updated for some reason (in which case, find a new wallet).

      • "The flaw can be fixed at the application level by manually initializing the PRNG with entropy from /dev/random or /dev/urandom (the built-in tool wasn't doing that properly unless explicitly told to, hence the vulnerability)."

        Exactly. This doesn't look like an OS flaw at all... people were just using the random number generator improperly.

        There are 2 ways to use most PRNGs in software: with a "seed" value and without. In most cases, if you don't initialize with a properly random seed, you're doing it wrong. Un-seeded use might be fine for some games but little else.

        Having said that, it could be that the default initialization seed is insecure, and the "patches" change how that behaves. Fine, in that case it's an OS problem

        • by Baloroth (2370816)

          The flaw is with the OS (or at least with how the OS is intended to work), SecureRandom() on Android is supposed by default to use a cryptographically secure seed to initialize the PRNG (at least, according to the documentation [android.com]. In fact, it's recommended on that documentation page not to seed it yourself). It does not do so, hence the security flaw.

          Fortunately, it's extremely easy to fix, but it's still a flaw in Android.

    • I would expect a two pronged attack on this with both a system side fix (for devices that are still getting updates) and application side fixes as app developers try to cover their users regardless of what version of andriod they are using.

      Users using non-market apps or apps from vendors who don't get the memo on smartphones that are no longer getting updates will of course be SOL.

    • by Sir_Sri (199544)

      If only I could give you mod points.

      This is without a doubt the big weakness in the android and windows phone markets. People will find exploits in your software, that's inevitable. But this problem of not being able to get updates unless you know how to root your phone and install a new build is just not going to work going forward. We cannot have a computing ecosystem where you cannot get updates unless you have significant technical skill to install them. It's just not going to work and it's going to

      • by cbhacking (979169)

        At least in WP's case, the updates come from MS themselves. There are (supposed to be) limits on how long the carriers / OEMs can hold back updates as well. But yeah, for most users the updates won't come as fast as they should.

        Still, it's a lot better than on Android.

      • by vux984 (928602)

        This is without a doubt the big weakness in the android and windows phone markets.

        I'm not sure that the Apple or Blackberry markets are all that much better. You could buy an iphone 3GS less than a year ago, and Apple has already announced that security vulnerabilities in ios6 aren't going to be patched. And the devices will not be eligible to upgrade to io7.

        We're talking several millions of the devices in active use, many of them less than a year old.

        Yes, that's not QUITE as bad as Android 2.x devices sitt

    • Buy a new phone. That's what they want and that's what they'll expect and that's your trade-off for buying something cheaper than an iPhone.
  • by gstoddart (321705) on Thursday August 15, 2013 @01:34PM (#44575429) Homepage

    This is why I wouldn't ever consider having my cell phone be something which can directly access my money.

    I don't trust the makers to competently build in security, and I believe that once everyone knows your cell phone is likely to be tied to your bank account, it's a soft target.

    They keep trying to find new ways to make it more 'convenient' to use these things to spend money, but 'convenient' in this case means insecure and fraught with privacy issues (and extra service fees if they can get away with it).

    Same with that tap to pay mechanism ... wow, you mean anybody with my physical card can spend my money without authorization? Gee, sign me up for that.

    Tech companies want to make a product or app for pretty much everything -- and a lot of them I find myself asking "who would want that?".

    Now, mind the steps while you're leaving my lawn, and don't trip on the sprinkler.

    • I don't trust the makers to competently build in security, and I believe that once everyone knows your cell phone is likely to be tied to your bank account, it's a soft target.

      A sensible and cautious approach. However it isn't all doom and gloom. To encourage customers to use online banking the banks largely have indemnified users against loss due to unauthorized access. The details vary but you typically can get your money back because it is insured or guaranteed by the bank. Might cause a lot of inconvenience but it's doable. It's not really any more or less secure than accessing your bank through a web browser on a PC. Not to say you couldn't be hacked or have some probl

      • by jxander (2605655)

        Frankly the soft target isn't your phone, it is your online user name and password. THAT is the point where most people fall down. Why bother breaking they crypto when you can just social engineer or guess your way into the account? Not to say you shouldn't be concerned about the strength of the crypto but it's not what keeps me up at night.

        Because breaking the crypto on a hardware/software platform will give you access to thousands, if not millions, of accounts. Social engineering has to be one on a 1 by 1 basis, or via mass spam broadcast, which relies on a lot more factors, including people not just being lazy and ignoring it.

    • by jxander (2605655)

      This is why I wouldn't ever consider having my cell phone be something which can directly access my money.

      This is why I actually manage my money.

      I have several different accounts, one of which is my "play" account. There's a debit card associated, which I use at bars or gamestop, and can send money from that account via phone if I want... but that account is extremely limited (never over $500) and isn't tied to any bills or recurring payments of any kind. So if that account ever gets compromised, meh, no big deal. The money is insured by the bank, so I'll get it all back... and while the account is in lim

    • by mattack2 (1165421)

      wow, you mean anybody with my physical card can spend my money without authorization?

      They already can. Buy online, gas station, etc. How many places actually check your ID or signature?

    • by thegarbz (1787294)

      Same with that tap to pay mechanism ... wow, you mean anybody with my physical card can spend my money without authorization? Gee, sign me up for that.

      /quote>

      Only up to a certain point, and if someone does steal your card and start making small $50 transactions the damage is quite limited. Oh and just like if someone steals your card and buys $1000 worth of stuff from the net the liability also sits with the card issuer.

      So yes, please sign up for that. That way you're not the dude fumbling with you wallet holding up the queue typing in your pin incorrectly at the terminal while the line behind you gets longer and longer because you fear your money will be taken by the money eating boogieman.

      Disclosure: I had my wallet stolen once, $700 worth of transactions appeared on my card. It took 2 phone calls and I got a new card and all my money back.

      As for the rest of your comment about security and phones... I fully agree with you. But I agree with you only because there's no defined rules on liability. If the handset manufacturer has legal liability for your loss of funds then I would once again jump on the convenience of making my life simpler and faster at the checkout.

  • by sl4shd0rk (755837) on Thursday August 15, 2013 @01:40PM (#44575511)

    FTFA: security researchers from Symantec issued a report on upwards of 360,000 apps using the SecureRandom class, containing the PRNG flaw in Bitcoinâ(TM)s Elliptic Curve Digital Signature Algorithm (ECDSA).

    May give a potential indication at the sheer number of applications affected by this exploit (which is programmer negligence apparently). Drilling into the Symantec article reveals how they arrived at that number.

    we have found over 360,000 applications that make use of SecureRandom and over 320,000 of them use SecureRandom in the same way the bitcoin wallets did (they did not call setSeed).

  • I applaud Google's admission, but sad to note that that the argument will embolden those who've been touting the "fact" [sophos.com] that iOS is more secure than Android.

    I guess one cannot be blamed for saying, "So much for the so called secure open nature of Android."

    It just doesn't seem to work...or does it?

    • by petermgreen (876956) <plugwashNO@SPAMp10link.net> on Thursday August 15, 2013 @02:22PM (#44575889) Homepage

      One big security problem with andriod is the distribution model. Google makes andriod and distributes it to their OEM partners (and to the general public though sometimes with a delay). The OEMs then customise it and pass it on to their users and in most cases (nexus excepted) all updates go through the OEM.

      The result is you get the situation of there being lots of older smartphones out there that are still perfectly usable but are no longer able to receive security updates in the regular manner because the OEM can no longer be bothered updating them. Sometimes it's possible to unlock the bootloader and install an unofficial build but that is at best something that requires you to be fairly technical and at worst something where even a computer expert like me can find myself in a dead end*.

      * For example htc officially offers a bootloader unlock process but when I tried it on my brother's old wildfire the software version on it was too new to apply the RUU needed for the bootloader unlock process.

  • by meta-monkey (321000) on Thursday August 15, 2013 @01:55PM (#44575631) Journal

    I'm so glad they're going to start regulating bitcoin. I mean, somebody ran off with $5,720! Monstrous!

    That's why I keep my money in safe, secure U.S. dollars and in the stock market, where you don't have to worry about dangerous criminals absconding with your savings.

    • by Linsaran (728833)
      I prefer to keep it in pure gold pressed latinum, the stock market is only good until the collapse of society, latinum is forever.
    • by steelfood (895457)

      That $5720 might not buy you a loaf of bread in 50 years, but it'll still be $5720 and not a cent less.

  • by MrKevvy (85565) on Thursday August 15, 2013 @01:56PM (#44575645)

    True random numbers are as simple as a reversed Zener diode connected to an A/D converter... quantum tunneling across the diode creates truly random signal, equivalent to thermal noise.

    So why isn't every CPU nowadays equipped with this, so that the RND function is done in hardware?

    • by gweihir (88907) on Thursday August 15, 2013 @02:22PM (#44575891)

      You ask the wrong question. Many embedded CPUs have these devices and with a driver, the Linux kernel uses them. But when the application designers chose to ignore /dev/random (where the kernel exposes its entropy collection), then no amount of good randomness provided by the kernel will help. Incidentally, /dev/random is very good even without hardware RNG, in certain situations you may just have to wait a bit.

      The second problem here was that the OpenSSL CPRNG is by its design very much dependent on a good initialization. This is not an obscure or hidden fact, but apparently Google had no competent security people on this project and did not ask any competent 3rd party for an independent review.

      • by steelfood (895457)

        Google had no competent security people on this project and did not ask any competent 3rd party for an independent review.

        What does Google care about the security of your data? They have it all anyway.

        • by gweihir (88907)

          Well, Google should care about looking competent. Now they look like clueless morons in public. Which they apparently are.

    • by swillden (191260)

      True random numbers are as simple as a reversed Zener diode connected to an A/D converter... quantum tunneling across the diode creates truly random signal, equivalent to thermal noise.

      Sure, if you don't mind highly-exploitable biases in your random numbers. Randomness is not enough. You also need to obtain a uniform distribution. Simple hardware designs may also be influenced by external signals, which may be predictable or even controllable by the attacker. The fact that there is some quantum-derived randomness doesn't mean there is no predictability.

      Doing this stuff right is hard. /dev/random in the Linux kernel actually does a fine job, better than any cost-effective hardware implem

  • Better to not trust (Score:2, Interesting)

    by m.dillon (147925)

    Hence why all my Android and iOS devices run a VPN (using the OpenVPN app which works great on both). Of course, the network at the VPN end-point isn't necessarily more secure, but it will be far more secure than all the networks in-between.

    The real question here is... will Google at LEAST update all the phones and pads under their own control? Motorola and Nexus updates, please!

    -Matt

  • Someone released an app on XDA, called Seeder, that purports to create entropy to seed the random number generator. Does this have anything to do with that app, or the bug that prompted the developer to write it? I remember when people were discussing the original app (which some people say only has a placebo effect), and they were saying it had security implications...does it make this problem worse or better?

  • by gweihir (88907) on Thursday August 15, 2013 @02:17PM (#44575845)

    This is not an OpenSSL-flaw. Proper initialization of a CPRNG is critical and the OpenSSL documentation states that. The choice of OpenSSL is however especially bad with a bad initialization, as the OpenSSL CPRNG does not continue to seed the generator with additional entropy during its operation, unlike /dev/random or /dev/urandom. Google messed up spectacularly in two regards:

    1. They had nobody that understood secure random number generation on the team
    2. They did not have their solution independently reviewed by a competent 3rd party

    They also selected a CPRNG especially vulnerable to bad seeding and did not use a source of good seeding readily available.

    These mistakes are on low amateur level when implementing cryptographic functionality. The dangers of bad CPRNG seeding have been well understood for decades. This looks like the all-to-often found mixture of incompetence and arrogance.

    • From what you say, it looks a lot like OpenSSL's fault: why does the RNG work even without proper initialization, allowing users to do the wrong thing in the first place? It should return an error unless safe_init() is called before get_random_number().
      • by gweihir (88907)

        No, it is not. A CPRNG cannot realistically evaluate the quality of the initialization data it is fed with. Sure, it could detect gross non-randomness, but that is it. (Example: Seed it with the time of day, encrypted with AES and key "123456789". That is a very bad seed, but basically impossible to detect without code analysis.)
        OpenSSL uses a small-state generator, which is extremely vulnerable to bad seeding. But that fact is not hidden in any way and well-known to experts.

        But you are not so wrong

        • by matfud (464184)

          Are you complaining about the api docs from SUN/Oracle or those from google as they are very different.

          • by gweihir (88907)

            Yes, indeed. I was not aware of the Android version. Having read it now, it is very clear Google messed this up badly/

    • This is not an OpenSSL-flaw. Proper initialization of a CPRNG is critical and the OpenSSL documentation states that. The choice of OpenSSL is however especially bad with a bad initialization, as the OpenSSL CPRNG does not continue to seed the generator with additional entropy during its operation, unlike /dev/random or /dev/urandom. Google messed up spectacularly in two regards:

      According to FAQ if /dev/urandom is there openssl uses it.

      http://www.openssl.org/support/faq.html#USER1 [openssl.org]

      • by gweihir (88907)

        Yes, but does the self-seeding of Java SecureRandom() use it too? My guess is it does all OpenSSL seeding itself and does not fall back on the OpenSSL defaults. And the Java documentation for SecureRandom() makes absolutely no statement about the quality of self-seeding.

  • If the phones used an Intel SOC, with the RdRand instruction, this would not have happened, because the phone would have over 100MBytes/s of cryptographically secure random numbers from an on chip TRNG, available to software through a single instruction.

    ARMs are limited in ways other than just being slow. When it comes to security, these things matter.

  • "The flaws are already, or in the process of being repaired..."

    Oh, so those 2% of Android devices which are running the latest Droid OS can breathe easy now...

  • by gweihir (88907) on Thursday August 15, 2013 @02:31PM (#44575973)

    Or rather the Java libraries and their documentation. My guess is that nobody working on this application even noticed that they did seed SecureRandom wrongly. At the same time, making sure this class is always seeded securely (which the spec would allow and would cause negligible overhead) would have been the right thing to do. But after looking at the problem in more detail, I am not so sure anymore this mistake by Google is the root-cause. It is also quite possible that Java programmers in general have stopped caring how classes do things internally, as long as they seem to work. The documentation for the Java crypto API is certainly convoluted and uninformative enough to be rather painful to read and left me wondering what the different methods actually do.

    • > The documentation for the Java crypto API is certainly convoluted and uninformative enough to be rather painful to read and
      > left me wondering what the different methods actually do.

      That's the understatement of the decade. I still remember the experiment I did once to see whether I could get deterministic RSA encryption to work. The idea was to have a private key stored off-server, have a public key stored on-server, and treat the public key-encrypted output like a hash for runtime login purposes, b

      • by gweihir (88907)

        Indeed. Right on the money on all counts. My key experience was that I was wondering when the different AES variants are used, but it was documented nowhere, so after quite a bit of futile searching I was ready to test it out. (I suspect the number of bits in the key were used, but when doing crypto, you need to _know_!) Fortunately the need never materialized, but having users of a crypto-library guess what things do is extremely dangerous. Crypto documentation needs to be even more precise than normal one

  • How long until Google lawyers will claim that Android users have no expectation of security [cnet.com]?

  • by mathimus1863 (1120437) on Thursday August 15, 2013 @02:41PM (#44576075)
    This certainly affects Bitcoin the most, but a random number generator that actually produces the same "random" numbers is hardly random at all, and could present a serious problem for all types of applications. In fact, that's a thoroughly-broken random number generator and all crypto-related operations could be hosed. I'm wondering how such an egregious PRNG/seeding-algo made it this long without someone noticing. Maybe it's because Bitcoin provides a financial incentive to find these flaws, and honestly it's pretty easy to spot it from a one-minute blockchain scan -- just look for two transactions with identical r-values, plug it into the stupid-simple equation, and then steal the money.

    This has actually come up in the Bitcoin space before: people were rolling-their-own-ECDSA for constructing and signing transactions, and were not aware of the importance of using different random numbers for every signature. As such, about a year ago someone did an identical blockchain search and was able to steal coins the exact same way: but it was due to script-kiddie ignorance. It was assumed this problem would go away when you start using the system PRNG, and taught people a lesson about rolling-their-own-crypto. Even if it's a weak system PRNG, the ECDSA signatures are fairly strong as long as the numbers are different between signatures. Apparently this was more than just "weak" though...

    For Android/mobile, the answer is to leverage the variety of sensors that are on-board. Using the low bits of accelerometer output should work great for seeding a PRNG if someone is actually holding the phone. If not, snap an image or take a quarter-second audio recording should suffice. There's enough noise on the camera and microphone that the hash of the output should be different even if it's sitting camera down in a quiet room. A lot of times you only 32-bytes of entropy, and a single image with 5 million pixels can give you an order of magnitude more than that just from the random variations in sensor output in a dark room.
  • Just one.

    OK then, what does that imply for you ? It's in the current nature of Bitcoin that all your Bitcoins ARE in one basket and you should disaster plan accordingly.

  • The "fix" for this problem is no good. Look at the code.
    DataOutputStream seedBufferOut = new DataOutputStream(seedBuffer);
    seedBufferOut.writeLong(System.currentTimeMillis());
    seedBufferOut.writeLong(System.nanoTime());
    seedBufferOut.writeInt(Process.myPid());
    seedBufferOut.writeInt(Process.myUid());
    seedBufferOut.write(BUILD_FINGERPRINT_AND_DEVICE_SERIAL);
    seedBufferOut.close();

    How well can we predict those v

    • by PayPaI (733999)

      In each case that generateSeed() is called, it's also combined with some data from /dev/urandom

Disclaimer: "These opinions are my own, though for a small fee they be yours too." -- Dave Haynie

Working...