Monday, 12 August 2013

Android security flaw leaving Bitcoin wallets open to cyber theft

Bitcoin 3D logo
Bitcoin has reported finding a critical flaw in Android, leaving users' digital wallets open to cyber pickpockets.
Engineers from Bitcoin found the vulnerability, confirming it affects several different payment apps and services running on Android. "We recently learned that a component of Android responsible for generating secure random numbers contains critical weaknesses that render all Android wallets generated to date vulnerable to theft," read the post.
"Because the problem lies with Android itself, this problem will affect you if you have a wallet generated by any Android app. An incomplete list would be Bitcoin Wallet, Blockchain.info wallet, BitcoinSpinner and Mycelium Wallet. Apps where you don't control the private keys at all are not affected. For example, exchange frontends like the Coinbase or Mt Gox apps are not impacted by this issue because the private keys are not generated on your Android phone."
Bitcoin confirmed it is working on fixes for Bitcoin Wallet, BitcoinSpinner, Mycelium Wallet and Blockchain.info, recommending users regularly check the Google Play store for updates and install them as soon as they become available.
"In order to re-secure existing wallets, key rotation is necessary. This involves generating a new address with a repaired random number generator and then sending all the money in your wallet back to yourself. If you use an Android wallet then we strongly recommend you to upgrade to the latest version available in the Play Store as soon as one becomes available," read the statement.
"Once your wallet is rotated, you will need to contact anyone who has stored addresses generated by your phone and give them a new one. If you use Bitcoin Wallet by Andreas Schildbach, key rotation will occur automatically soon after you upgrade. The old addresses will be marked as insecure in your address book. You will need to make a fresh backup."
Trend Micro security director Rik Ferguson told V3 it could prove tricky for Bitcoin to protect its users given the fractured nature of Android, with almost 12,000 devices in the market.
"There is no evidence yet that it has been actively exploited, so for those people using Bitcoin wallets on their mobile devices, let's hope the app updates with fixed random number generators are timely. It will be also interesting to see how the underlying issue in Android affects other apps that rely on cryptography and how a fix can be rolled out across that notoriously fragmented ecosystem," he said.
Bitcoins are a digital currency created in 2008. They are designed to allow instantaneous, semi-anonymous online transactions to be made.
The anonymous nature of the currency has seen them become favoured by many criminal groups, who use them as a means to hamper law enforcement's ability to track them. Most recently Webroot reported that several black markets have begun taking Bitcoin payments.

No comments:

Post a Comment