Android vulnerability hits Bitcoin apps and more

When a random number is not so random, security pays the price

Android users of Bitcoin are being advised to upgrade their apps and re-secure their wallets after the discovering of a weakness in a component of the operating system responsible for generating secure random numbers. The weakness also affects some secure communication networks, and renders users vulnerable to theft of their digital currency.

The weakness lies with the Android implementation of a piece of code which is supposed to spit out purely random numbers. Instead of working as it should, the numbers it produces aren’t as random as they seem. These numbers are used by Bitcoin users as the public and private keys in the series of mathematical problems which makes up the “blockchain”, the record of transactions. If they are slightly predictable, then as a result, it is theoretically possible to work out someone’s private key from the public signatures they post, and steal money contained in the wallet.

The vulnerability was highlighted by developer Mike Hearn, who created the Bitcoin Wallet app. That app has since been updated, as have Mycelium Wallet and blockchain.info, two other popular wallet apps for Android. Bitcoin.org, a key website for the decentralised development community, advises users to “rotate” their keys. “This involves generating a new address with a repaired random number generator and then sending all the money in your wallet back to yourself”, they write. “Once your wallet is rotated, you will need to contact anyone who has stored addresses generated by your phone and give them a new one.”

However, the weakness in the random number generator has the potential to affect more than just bitcoin apps. Any app which relies on the generator for security is at risk, particularly if the programme requires a public and a private key. The nature of the flaw makes it overly easy to determine a private key if given a public key generated around the same time; as a result, any app which uses a form of public key cryptography, where the security of the encrypted content relies on the public and private keys being unrelated, is at risk if those keys were generated using the faulty generator.

In practice, though, the Bitcoin community is at the most risk here. It's one of the few situations where a public key is very public indeed, and the rewards for cracking it are so immediate that if people can try, they will. But it's hardly a mortal wound; the apps can be updated, and wallets resecured. If Bitcoin is really in danger, it comes from a source which many advocates of the digital money are celebrating. Earlier this month, a Texas court officially declared Bitcoin a "currency" in order to take action against a man accused of running a Bitcoin Ponzi scheme. What sounds like much-needed mainstream recognition is actually a double-edged sword, though. As a currency, it is now fair game for regulators. And sure enough, the New York Department of Financial Services is looking into the "Wild West for narcotraffickers and other criminals". Bitcoin will shortly need to grow up or shut up, it seems.

Photograph: Bitcoin.org

Alex Hern is a technology reporter for the Guardian. He was formerly staff writer at the New Statesman. You should follow Alex on Twitter.

Getty
Show Hide image

The tale of Battersea power station shows how affordable housing is lost

Initially, the developers promised 636 affordable homes. Now, they have reduced the number to 386. 

It’s the most predictable trick in the big book of property development. A developer signs an agreement with a local council promising to provide a barely acceptable level of barely affordable housing, then slashes these commitments at the first, second and third signs of trouble. It’s happened all over the country, from Hastings to Cumbria. But it happens most often in London, and most recently of all at Battersea power station, the Thames landmark and long-time London ruin which I wrote about in my 2016 book, Up In Smoke: The Failed Dreams of Battersea Power Station. For decades, the power station was one of London’s most popular buildings but now it represents some of the most depressing aspects of the capital’s attempts at regeneration. Almost in shame, the building itself has started to disappear from view behind a curtain of ugly gold-and-glass apartments aimed squarely at the international rich. The Battersea power station development is costing around £9bn. There will be around 4,200 flats, an office for Apple and a new Tube station. But only 386 of the new flats will be considered affordable

What makes the Battersea power station development worse is the developer’s argument for why there are so few affordable homes, which runs something like this. The bottom is falling out of the luxury homes market because too many are being built, which means developers can no longer afford to build the sort of homes that people actually want. It’s yet another sign of the failure of the housing market to provide what is most needed. But it also highlights the delusion of politicians who still seem to believe that property developers are going to provide the answers to one of the most pressing problems in politics.

A Malaysian consortium acquired the power station in 2012 and initially promised to build 517 affordable units, which then rose to 636. This was pretty meagre, but with four developers having already failed to develop the site, it was enough to satisfy Wandsworth council. By the time I wrote Up In Smoke, this had been reduced back to 565 units – around 15 per cent of the total number of new flats. Now the developers want to build only 386 affordable homes – around 9 per cent of the final residential offering, which includes expensive flats bought by the likes of Sting and Bear Grylls. 

The developers say this is because of escalating costs and the technical challenges of restoring the power station – but it’s also the case that the entire Nine Elms area between Battersea and Vauxhall is experiencing a glut of similar property, which is driving down prices. They want to focus instead on paying for the new Northern Line extension that joins the power station to Kennington. The slashing of affordable housing can be done without need for a new planning application or public consultation by using a “deed of variation”. It also means Mayor Sadiq Khan can’t do much more than write to Wandsworth urging the council to reject the new scheme. There’s little chance of that. Conservative Wandsworth has been committed to a developer-led solution to the power station for three decades and in that time has perfected the art of rolling over, despite several excruciating, and occasionally hilarious, disappointments.

The Battersea power station situation also highlights the sophistry developers will use to excuse any decision. When I interviewed Rob Tincknell, the developer’s chief executive, in 2014, he boasted it was the developer’s commitment to paying for the Northern Line extension (NLE) that was allowing the already limited amount of affordable housing to be built in the first place. Without the NLE, he insisted, they would never be able to build this number of affordable units. “The important point to note is that the NLE project allows the development density in the district of Nine Elms to nearly double,” he said. “Therefore, without the NLE the density at Battersea would be about half and even if there was a higher level of affordable, say 30 per cent, it would be a percentage of a lower figure and therefore the city wouldn’t get any more affordable than they do now.”

Now the argument is reversed. Because the developer has to pay for the transport infrastructure, they can’t afford to build as much affordable housing. Smart hey?

It’s not entirely hopeless. Wandsworth may yet reject the plan, while the developers say they hope to restore the missing 250 units at the end of the build.

But I wouldn’t hold your breath.

This is a version of a blog post which originally appeared here.

0800 7318496