Android vulnerability hits Bitcoin apps and more

When a random number is not so random, security pays the price

Android users of Bitcoin are being advised to upgrade their apps and re-secure their wallets after the discovering of a weakness in a component of the operating system responsible for generating secure random numbers. The weakness also affects some secure communication networks, and renders users vulnerable to theft of their digital currency.

The weakness lies with the Android implementation of a piece of code which is supposed to spit out purely random numbers. Instead of working as it should, the numbers it produces aren’t as random as they seem. These numbers are used by Bitcoin users as the public and private keys in the series of mathematical problems which makes up the “blockchain”, the record of transactions. If they are slightly predictable, then as a result, it is theoretically possible to work out someone’s private key from the public signatures they post, and steal money contained in the wallet.

The vulnerability was highlighted by developer Mike Hearn, who created the Bitcoin Wallet app. That app has since been updated, as have Mycelium Wallet and blockchain.info, two other popular wallet apps for Android. Bitcoin.org, a key website for the decentralised development community, advises users to “rotate” their keys. “This involves generating a new address with a repaired random number generator and then sending all the money in your wallet back to yourself”, they write. “Once your wallet is rotated, you will need to contact anyone who has stored addresses generated by your phone and give them a new one.”

However, the weakness in the random number generator has the potential to affect more than just bitcoin apps. Any app which relies on the generator for security is at risk, particularly if the programme requires a public and a private key. The nature of the flaw makes it overly easy to determine a private key if given a public key generated around the same time; as a result, any app which uses a form of public key cryptography, where the security of the encrypted content relies on the public and private keys being unrelated, is at risk if those keys were generated using the faulty generator.

In practice, though, the Bitcoin community is at the most risk here. It's one of the few situations where a public key is very public indeed, and the rewards for cracking it are so immediate that if people can try, they will. But it's hardly a mortal wound; the apps can be updated, and wallets resecured. If Bitcoin is really in danger, it comes from a source which many advocates of the digital money are celebrating. Earlier this month, a Texas court officially declared Bitcoin a "currency" in order to take action against a man accused of running a Bitcoin Ponzi scheme. What sounds like much-needed mainstream recognition is actually a double-edged sword, though. As a currency, it is now fair game for regulators. And sure enough, the New York Department of Financial Services is looking into the "Wild West for narcotraffickers and other criminals". Bitcoin will shortly need to grow up or shut up, it seems.

Photograph: Bitcoin.org

Alex Hern is a technology reporter for the Guardian. He was formerly staff writer at the New Statesman. You should follow Alex on Twitter.

Photo: Getty
Show Hide image

Who will win in Manchester Gorton?

Will Labour lose in Manchester Gorton?

The death of Gerald Kaufman will trigger a by-election in his Manchester Gorton seat, which has been Labour-held since 1935.

Coming so soon after the disappointing results in Copeland – where the seat was lost to the Tories – and Stoke – where the party lost vote share – some overly excitable commentators are talking up the possibility of an upset in the Manchester seat.

But Gorton is very different to Stoke-on-Trent and to Copeland. The Labour lead is 56 points, compared to 16.5 points in Stoke-on-Trent and 6.5 points in Copeland. (As I’ve written before and will doubtless write again, it’s much more instructive to talk about vote share rather than vote numbers in British elections. Most of the country tends to vote in the same way even if they vote at different volumes.)

That 47 per cent of the seat's residents come from a non-white background and that the Labour party holds every council seat in the constituency only adds to the party's strong position here. 

But that doesn’t mean that there is no interest to be had in the contest at all. That the seat voted heavily to remain in the European Union – around 65 per cent according to Chris Hanretty’s estimates – will provide a glimmer of hope to the Liberal Democrats that they can finish a strong second, as they did consistently from 1992 to 2010, before slumping to fifth in 2015.

How they do in second place will inform how jittery Labour MPs with smaller majorities and a history of Liberal Democrat activity are about Labour’s embrace of Brexit.

They also have a narrow chance of becoming competitive should Labour’s selection turn acrimonious. The seat has been in special measures since 2004, which means the selection will be run by the party’s national executive committee, though several local candidates are tipped to run, with Afzal Khan,  a local MEP, and Julie Reid, a local councillor, both expected to run for the vacant seats.

It’s highly unlikely but if the selection occurs in a way that irritates the local party or provokes serious local in-fighting, you can just about see how the Liberal Democrats give everyone a surprise. But it’s about as likely as the United States men landing on Mars any time soon – plausible, but far-fetched. 

Stephen Bush is special correspondent at the New Statesman. His daily briefing, Morning Call, provides a quick and essential guide to British politics.