Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Bitcoin Android Bug Security

Google Admits Bitcoin Thieves Exploited Android Crypto PRNG Flaw 183

Posted by timothy from the oopsie dept.
rjmarvin writes "The theft of 55 Bitcoins, or about $5,720, through Android wallet apps last week was made possible because of flaws in Android's Java and OpenSSL crypto PRNG, Google revealed in a blog post. In the wake of a Bitcoin security advisory and a Symantec vulnerability report, the Android Developers Blog admitted the reason the thieves were able to pilfer their wallet apps. The flaws are already, or in the process of being repaired."
This discussion has been archived. No new comments can be posted.

Google Admits Bitcoin Thieves Exploited Android Crypto PRNG Flaw More

Google Admits Bitcoin Thieves Exploited Android Crypto PRNG Flaw

Comments Filter:

  • Re:Already or in the process of being repaired (Score:5, Interesting)

    by gstoddart ( 321705 ) on Thursday August 15, 2013 @01:40PM (#44575513) Homepage

    This is what you get for playing with bit coin. When are you going to learn?

    You know, it's not even bitcoin.

    Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android are also affected

    The entire crypto on the platform is vulnerable from the looks of it.

    So, I would assume if there were other digital wallet type things on Android, they would be subject to the exact same vulnerability.

  • Better to not trust (Score:2, Interesting)

    by m.dillon ( 147925 ) on Thursday August 15, 2013 @02:05PM (#44575737) Homepage

    Hence why all my Android and iOS devices run a VPN (using the OpenVPN app which works great on both). Of course, the network at the VPN end-point isn't necessarily more secure, but it will be far more secure than all the networks in-between.

    The real question here is... will Google at LEAST update all the phones and pads under their own control? Motorola and Nexus updates, please!

    -Matt

  • Java has gotten to obscure (Score:3, Interesting)

    by gweihir ( 88907 ) on Thursday August 15, 2013 @02:31PM (#44575973)

    Or rather the Java libraries and their documentation. My guess is that nobody working on this application even noticed that they did seed SecureRandom wrongly. At the same time, making sure this class is always seeded securely (which the spec would allow and would cause negligible overhead) would have been the right thing to do. But after looking at the problem in more detail, I am not so sure anymore this mistake by Google is the root-cause. It is also quite possible that Java programmers in general have stopped caring how classes do things internally, as long as they seem to work. The documentation for the Java crypto API is certainly convoluted and uninformative enough to be rather painful to read and left me wondering what the different methods actually do.

Slashdot Top Deals

Living on Earth may be expensive, but it includes an annual free trip around the Sun.

Close