Android vulnerability hits Bitcoin apps and more

When a random number is not so random, security pays the price

Android users of Bitcoin are being advised to upgrade their apps and re-secure their wallets after the discovering of a weakness in a component of the operating system responsible for generating secure random numbers. The weakness also affects some secure communication networks, and renders users vulnerable to theft of their digital currency.

The weakness lies with the Android implementation of a piece of code which is supposed to spit out purely random numbers. Instead of working as it should, the numbers it produces aren’t as random as they seem. These numbers are used by Bitcoin users as the public and private keys in the series of mathematical problems which makes up the “blockchain”, the record of transactions. If they are slightly predictable, then as a result, it is theoretically possible to work out someone’s private key from the public signatures they post, and steal money contained in the wallet.

The vulnerability was highlighted by developer Mike Hearn, who created the Bitcoin Wallet app. That app has since been updated, as have Mycelium Wallet and blockchain.info, two other popular wallet apps for Android. Bitcoin.org, a key website for the decentralised development community, advises users to “rotate” their keys. “This involves generating a new address with a repaired random number generator and then sending all the money in your wallet back to yourself”, they write. “Once your wallet is rotated, you will need to contact anyone who has stored addresses generated by your phone and give them a new one.”

However, the weakness in the random number generator has the potential to affect more than just bitcoin apps. Any app which relies on the generator for security is at risk, particularly if the programme requires a public and a private key. The nature of the flaw makes it overly easy to determine a private key if given a public key generated around the same time; as a result, any app which uses a form of public key cryptography, where the security of the encrypted content relies on the public and private keys being unrelated, is at risk if those keys were generated using the faulty generator.

In practice, though, the Bitcoin community is at the most risk here. It's one of the few situations where a public key is very public indeed, and the rewards for cracking it are so immediate that if people can try, they will. But it's hardly a mortal wound; the apps can be updated, and wallets resecured. If Bitcoin is really in danger, it comes from a source which many advocates of the digital money are celebrating. Earlier this month, a Texas court officially declared Bitcoin a "currency" in order to take action against a man accused of running a Bitcoin Ponzi scheme. What sounds like much-needed mainstream recognition is actually a double-edged sword, though. As a currency, it is now fair game for regulators. And sure enough, the New York Department of Financial Services is looking into the "Wild West for narcotraffickers and other criminals". Bitcoin will shortly need to grow up or shut up, it seems.

Photograph: Bitcoin.org

Alex Hern is a technology reporter for the Guardian. He was formerly staff writer at the New Statesman. You should follow Alex on Twitter.

Getty
Show Hide image

Is defeat in Stoke the beginning of the end for Paul Nuttall?

The Ukip leader was his party's unity candidate. But after his defeat in Stoke, the old divisions are beginning to show again

In a speech to Ukip’s spring conference in Bolton on February 17, the party’s once and probably future leader Nigel Farage laid down the gauntlet for his successor, Paul Nuttall. Stoke’s by-election was “fundamental” to the future of the party – and Nuttall had to win.
 
One week on, Nuttall has failed that test miserably and thrown the fundamental questions hanging over Ukip’s future into harsh relief. 

For all his bullish talk of supplanting Labour in its industrial heartlands, the Ukip leader only managed to increase the party’s vote share by 2.2 percentage points on 2015. This paltry increase came despite Stoke’s 70 per cent Brexit majority, and a media narrative that was, until the revelations around Nuttall and Hillsborough, talking the party’s chances up.
 
So what now for Nuttall? There is, for the time being, little chance of him resigning – and, in truth, few inside Ukip expected him to win. Nuttall was relying on two well-rehearsed lines as get-out-of-jail free cards very early on in the campaign. 

The first was that the seat was a lowly 72 on Ukip’s target list. The second was that he had been leader of party whose image had been tarnished by infighting both figurative and literal for all of 12 weeks – the real work of his project had yet to begin. 

The chances of that project ever succeeding were modest at the very best. After yesterday’s defeat, it looks even more unlikely. Nuttall had originally stated his intention to run in the likely by-election in Leigh, Greater Manchester, when Andy Burnham wins the Greater Manchester metro mayoralty as is expected in May (Wigan, the borough of which Leigh is part, voted 64 per cent for Brexit).

If he goes ahead and stands – which he may well do – he will have to overturn a Labour majority of over 14,000. That, even before the unedifying row over the veracity of his Hillsborough recollections, was always going to be a big challenge. If he goes for it and loses, his leadership – predicated as it is on his supposed ability to win votes in the north - will be dead in the water. 

Nuttall is not entirely to blame, but he is a big part of Ukip’s problem. I visited Stoke the day before The Guardian published its initial report on Nuttall’s Hillsborough claims, and even then Nuttall’s campaign manager admitted that he was unlikely to convince the “hard core” of Conservative voters to back him. 

There are manifold reasons for this, but chief among them is that Nuttall, despite his newfound love of tweed, is no Nigel Farage. Not only does he lack his name recognition and box office appeal, but the sad truth is that the Tory voters Ukip need to attract are much less likely to vote for a party led by a Scouser whose platform consists of reassuring working-class voters their NHS and benefits are safe.
 
It is Farage and his allies – most notably the party’s main donor Arron Banks – who hold the most power over Nuttall’s future. Banks, who Nuttall publicly disowned as a non-member after he said he was “sick to death” of people “milking” the Hillsborough disaster, said on the eve of the Stoke poll that Ukip had to “remain radical” if it wanted to keep receiving his money. Farage himself has said the party’s campaign ought to have been “clearer” on immigration. 

Senior party figures are already briefing against Nuttall and his team in the Telegraph, whose proprietors are chummy with the beer-swilling Farage-Banks axis. They deride him for his efforts to turn Ukip into “NiceKip” or “Nukip” in order to appeal to more women voters, and for the heavy-handedness of his pitch to Labour voters (“There were times when I wondered whether I’ve got a purple rosette or a red one on”, one told the paper). 

It is Nuttall’s policy advisers - the anti-Farage awkward squad of Suzanne Evans, MEP Patrick O’Flynn (who famously branded Farage "snarling, thin-skinned and aggressive") and former leadership candidate Lisa Duffy – come in for the harshest criticism. Herein lies the leader's almost impossible task. Despite having pitched to members as a unity candidate, the two sides’ visions for Ukip are irreconcilable – one urges him to emulate Trump (who Nuttall says he would not have voted for), and the other urges a more moderate tack. 

Endorsing his leader on Question Time last night, Ukip’s sole MP Douglas Carswell blamed the legacy of the party’s Tea Party-inspired 2015 general election campaign, which saw Farage complain about foreigners with HIV using the NHS in ITV’s leaders debate, for the party’s poor performance in Stoke. Others, such as MEP Bill Etheridge, say precisely the opposite – that Nuttall must be more like Farage. 

Neither side has yet called for Nuttall’s head. He insists he is “not going anywhere”. With his febrile party no stranger to abortive coup and counter-coup, he is unlikely to be the one who has the final say.