Android vulnerability hits Bitcoin apps and more

When a random number is not so random, security pays the price

Android users of Bitcoin are being advised to upgrade their apps and re-secure their wallets after the discovering of a weakness in a component of the operating system responsible for generating secure random numbers. The weakness also affects some secure communication networks, and renders users vulnerable to theft of their digital currency.

The weakness lies with the Android implementation of a piece of code which is supposed to spit out purely random numbers. Instead of working as it should, the numbers it produces aren’t as random as they seem. These numbers are used by Bitcoin users as the public and private keys in the series of mathematical problems which makes up the “blockchain”, the record of transactions. If they are slightly predictable, then as a result, it is theoretically possible to work out someone’s private key from the public signatures they post, and steal money contained in the wallet.

The vulnerability was highlighted by developer Mike Hearn, who created the Bitcoin Wallet app. That app has since been updated, as have Mycelium Wallet and blockchain.info, two other popular wallet apps for Android. Bitcoin.org, a key website for the decentralised development community, advises users to “rotate” their keys. “This involves generating a new address with a repaired random number generator and then sending all the money in your wallet back to yourself”, they write. “Once your wallet is rotated, you will need to contact anyone who has stored addresses generated by your phone and give them a new one.”

However, the weakness in the random number generator has the potential to affect more than just bitcoin apps. Any app which relies on the generator for security is at risk, particularly if the programme requires a public and a private key. The nature of the flaw makes it overly easy to determine a private key if given a public key generated around the same time; as a result, any app which uses a form of public key cryptography, where the security of the encrypted content relies on the public and private keys being unrelated, is at risk if those keys were generated using the faulty generator.

In practice, though, the Bitcoin community is at the most risk here. It's one of the few situations where a public key is very public indeed, and the rewards for cracking it are so immediate that if people can try, they will. But it's hardly a mortal wound; the apps can be updated, and wallets resecured. If Bitcoin is really in danger, it comes from a source which many advocates of the digital money are celebrating. Earlier this month, a Texas court officially declared Bitcoin a "currency" in order to take action against a man accused of running a Bitcoin Ponzi scheme. What sounds like much-needed mainstream recognition is actually a double-edged sword, though. As a currency, it is now fair game for regulators. And sure enough, the New York Department of Financial Services is looking into the "Wild West for narcotraffickers and other criminals". Bitcoin will shortly need to grow up or shut up, it seems.

Photograph: Bitcoin.org

Alex Hern is a technology reporter for the Guardian. He was formerly staff writer at the New Statesman. You should follow Alex on Twitter.

Getty
Show Hide image

Our union backed Brexit, but that doesn't mean scrapping freedom of movement

We can only improve the lives of our members, like those planning stike action at McDonalds, through solidarity.

The campaign to defend and extend free movement – highlighted by the launch of the Labour Campaign for Free Movement this month – is being seen in some circles as a back door strategy to re-run the EU referendum. If that was truly the case, then I don't think Unions like mine (the BFAWU) would be involved, especially as we campaigned to leave the EU ourselves.

In stark contrast to the rhetoric used by many sections of the Leave campaign, our argument wasn’t driven by fear and paranoia about migrant workers. A good number of the BFAWU’s membership is made up of workers not just from the EU, but from all corners of the world. They make a positive contribution to the industry that we represent. These people make a far larger and important contribution to our society and our communities than the wealthy Brexiteers, who sought to do nothing other than de-humanise them, cheered along by a rabid, right-wing press. 

Those who are calling for end to freedom of movement fail to realise that it’s people, rather than land and borders that makes the world we live in. Division works only in the interest of those that want to hold power, control, influence and wealth. Unfortunately, despite a rich history in terms of where division leads us, a good chunk of the UK population still falls for it. We believe that those who live and work here or in other countries should have their skills recognised and enjoy the same rights as those born in that country, including the democratic right to vote. 

Workers born outside of the UK contribute more than £328 million to the UK economy every day. Our NHS depends on their labour in order to keep it running; the leisure and hospitality industries depend on them in order to function; the food industry (including farming to a degree) is often propped up by their work.

The real architects of our misery and hardship reside in Westminster. It is they who introduced legislation designed to allow bosses to act with impunity and pay poverty wages. The only way we can really improve our lives is not as some would have you believe, by blaming other poor workers from other countries, it is through standing together in solidarity. By organising and combining that we become stronger as our fabulous members are showing through their decision to ballot for strike action in McDonalds.

Our members in McDonalds are both born in the UK and outside the UK, and where the bosses have separated groups of workers by pitting certain nationalities against each other, the workers organised have stood together and fought to win change for all, even organising themed social events to welcome each other in the face of the bosses ‘attempts to create divisions in the workplace.

Our union has held the long term view that we should have a planned economy with an ability to own and control the means of production. Our members saw the EU as a gravy train, working in the interests of wealthy elites and industrial scale tax avoidance. They felt that leaving the EU would give the UK the best opportunity to renationalise our key industries and begin a programme of manufacturing on a scale that would allow us to be self-sufficient and independent while enjoying solid trading relationships with other countries. Obviously, a key component in terms of facilitating this is continued freedom of movement.

Many of our members come from communities that voted to leave the EU. They are a reflection of real life that the movers and shakers in both the Leave and Remain campaigns took for granted. We weren’t surprised by the outcome of the EU referendum; after decades of politicians heaping blame on the EU for everything from the shape of fruit to personal hardship, what else could we possibly expect? However, we cannot allow migrant labour to remain as a political football to give succour to the prejudices of the uninformed. Given the same rights and freedoms as UK citizens, foreign workers have the ability to ensure that the UK actually makes a success of Brexit, one that benefits the many, rather than the few.

Ian Hodon is President of the Bakers and Allied Food Workers Union and founding signatory of the Labour Campaign for Free Movement.