Android vulnerability hits Bitcoin apps and more

When a random number is not so random, security pays the price

Android users of Bitcoin are being advised to upgrade their apps and re-secure their wallets after the discovering of a weakness in a component of the operating system responsible for generating secure random numbers. The weakness also affects some secure communication networks, and renders users vulnerable to theft of their digital currency.

The weakness lies with the Android implementation of a piece of code which is supposed to spit out purely random numbers. Instead of working as it should, the numbers it produces aren’t as random as they seem. These numbers are used by Bitcoin users as the public and private keys in the series of mathematical problems which makes up the “blockchain”, the record of transactions. If they are slightly predictable, then as a result, it is theoretically possible to work out someone’s private key from the public signatures they post, and steal money contained in the wallet.

The vulnerability was highlighted by developer Mike Hearn, who created the Bitcoin Wallet app. That app has since been updated, as have Mycelium Wallet and blockchain.info, two other popular wallet apps for Android. Bitcoin.org, a key website for the decentralised development community, advises users to “rotate” their keys. “This involves generating a new address with a repaired random number generator and then sending all the money in your wallet back to yourself”, they write. “Once your wallet is rotated, you will need to contact anyone who has stored addresses generated by your phone and give them a new one.”

However, the weakness in the random number generator has the potential to affect more than just bitcoin apps. Any app which relies on the generator for security is at risk, particularly if the programme requires a public and a private key. The nature of the flaw makes it overly easy to determine a private key if given a public key generated around the same time; as a result, any app which uses a form of public key cryptography, where the security of the encrypted content relies on the public and private keys being unrelated, is at risk if those keys were generated using the faulty generator.

In practice, though, the Bitcoin community is at the most risk here. It's one of the few situations where a public key is very public indeed, and the rewards for cracking it are so immediate that if people can try, they will. But it's hardly a mortal wound; the apps can be updated, and wallets resecured. If Bitcoin is really in danger, it comes from a source which many advocates of the digital money are celebrating. Earlier this month, a Texas court officially declared Bitcoin a "currency" in order to take action against a man accused of running a Bitcoin Ponzi scheme. What sounds like much-needed mainstream recognition is actually a double-edged sword, though. As a currency, it is now fair game for regulators. And sure enough, the New York Department of Financial Services is looking into the "Wild West for narcotraffickers and other criminals". Bitcoin will shortly need to grow up or shut up, it seems.

Photograph: Bitcoin.org

Alex Hern is a technology reporter for the Guardian. He was formerly staff writer at the New Statesman. You should follow Alex on Twitter.

#Match4Lara
Show Hide image

#Match4Lara: Lara has found her match, but the search for mixed-race donors isn't over

A UK blood cancer charity has seen an "unprecedented spike" in donors from mixed race and ethnic minority backgrounds since the campaign started. 

Lara Casalotti, the 24-year-old known round the world for her family's race to find her a stem cell donor, has found her match. As long as all goes ahead as planned, she will undergo a transplant in March.

Casalotti was diagnosed with acute myeloid leukaemia in December, and doctors predicted that she would need a stem cell transplant by April. As I wrote a few weeks ago, her Thai-Italian heritage was a stumbling block, both thanks to biology (successful donors tend to fit your racial profile), and the fact that mixed-race people only make up around 3 per cent of international stem cell registries. The number of non-mixed minorities is also relatively low. 

That's why Casalotti's family launched a high profile campaign in the US, Thailand, Italy and the US to encourage more people - especially those from mixed or minority backgrounds - to register. It worked: the family estimates that upwards of 20,000 people have signed up through the campaign in less than a month.

Anthony Nolan, the blood cancer charity, also reported an "unprecedented spike" of donors from black, Asian, ethcnic minority or mixed race backgrounds. At certain points in the campaign over half of those signing up were from these groups, the highest proportion ever seen by the charity. 

Interestingly, it's not particularly likely that the campaign found Casalotti her match. Patient confidentiality regulations protect the nationality and identity of the donor, but Emily Rosselli from Anthony Nolan tells me that most patients don't find their donors through individual campaigns: 

 It’s usually unlikely that an individual finds their own match through their own campaign purely because there are tens of thousands of tissue types out there and hundreds of people around the world joining donor registers every day (which currently stand at 26 million).

Though we can't know for sure, it's more likely that Casalotti's campaign will help scores of people from these backgrounds in future, as it has (and may continue to) increased donations from much-needed groups. To that end, the Match4Lara campaign is continuing: the family has said that drives and events over the next few weeks will go ahead. 

You can sign up to the registry in your country via the Match4Lara website here.

Barbara Speed is a technology and digital culture writer at the New Statesman and a staff writer at CityMetric.