Bitcoin Exposed to Theft Due To Innate Mobile Operating System Flaw

Tuesday, 13/08/2013 | 08:46 GMT by Andrew Saks McLeod
  • Following a proposed measure by the New York banking regulator aimed at protecting consumers with regard to virtual currency, it has been discovered that Android's mobile OS leaves users vulnerable to theft.
Bitcoin Exposed to Theft Due To Innate Mobile Operating System Flaw

The security of propagating online transactions has long been a matter of concern for banks and merchants alike, however with the recent exponential rise in popularity of Cryptocurrencies , a further insecurity has reared its head.

Transactions made with credit cards and online banking, using central bank-issued currencies are insurable against instances of theft or fraud, however should the light fingers of an electronic pickpocket empty your electronic wallet, there is no recourse whatsoever.

The latest matter for concern on this subject was highlighted by Bitcoin Foundation yesterday, after it made a statement to the effect that the Android mobile operating system has an innate flaw which renders users of the virtual currency exposed to potential theft.

The issue affects some Android "wallet" apps, the organisation said, including Bitcoin Wallet and BitcoinSpinner.

To protect an Android wallet, the developers have advised that users must update their applications once a new version becomes available.

The news came as a result of the New York Department of Financial Services (DFS) implementing a ruling yesterday that companies will be asked to provide with data and information, as they prepare to draft state guidelines on virtual currencies, in effect ordering companies to co-operate with a probe into the way Bitcoin is used.

laptop-thief

The DFS produced a draft memorandum, the final version of which is scheduled for release on Monday August 19, which states that “if virtual currencies remain a virtual Wild West for narcotraffickers and other criminals, that would not only threaten our country's national security, but also the very existence of the virtual currency industry as a legitimate business enterprise".

As is often the case in North America, consumer protection is at the root of this action. “We believe that, for a number of reasons, putting in place appropriate regulatory safeguards for virtual currencies will be beneficial to the long term strength of the virtual currency industry,” Benjamin Lawsky, head of the DFS, wrote in a drafted letter to the Wall Street Journal.

Encryption Fault Leads To Vulnerability

Bitcoin Foundation’s research into this matter concluded that the wallet’s susceptibility to being accessed by unauthorized users is as a result of the way that the Android operating system generates sequences of secure random numbers needed to keep the wallets safe.

Analysts discovered that Android's SecureRandom Java program sometimes repeats the number sequences, which must be unique in order to keep each Bitcoin secure.

Discussion among members of Bitcoin forum bitcointalk.org has included suggestions that the equivalent of thousands of US dollars may have already been stolen, although at the moment these are not substantiated.

Bitcoin Foundation’s statement on Sunday relating to this matter warned that "Because the problem lies with Android itself, this problem will affect you if you have a wallet generated by any Android application."

The issue affects only programs where the number sequences or private keys are controlled on the user's device.

For wallet applicationss that were vulnerable, Bitcoin Foundation said it would be necessary to change keys.

This process involves "generating a new address with a repaired random number generator and then sending all the money in your wallet back to yourself", according to the Bitcoin Founation statement.

Furthermore, some of the affected applications were in the process of updating their wallet apps to assist the rectification of the problem, including Bitcoin Wallet, BitcoinSpinner, Mycelium Wallet and Blockchain .info.

The BBC yesterday investigated this further and in conversing with a number of academics on this matter, found that the general consensus is that virtual currencies could face ongoing problems such as this due to the way that they have been designed.

Dr Joss Wright, a research fellow at the Oxford Internet Institute, explained to the BBC that cryptographers relied heavily on a computer's ability to generate random numbers in order to keep information secure. But, he added, that computers did not always do this reliably.

"Choosing good random numbers is the key issue," Dr Wright said. "If the random numbers can be predicted by somebody else, this could lead to all sorts of security problems."

It seems that when Brooks Stevens coined, if the pun can be excused, the phrase built-in obsolescence in 1954 he likely never imagined that it would half a century later not only refer to physical products, but virtual ones too.

The security of propagating online transactions has long been a matter of concern for banks and merchants alike, however with the recent exponential rise in popularity of Cryptocurrencies , a further insecurity has reared its head.

Transactions made with credit cards and online banking, using central bank-issued currencies are insurable against instances of theft or fraud, however should the light fingers of an electronic pickpocket empty your electronic wallet, there is no recourse whatsoever.

The latest matter for concern on this subject was highlighted by Bitcoin Foundation yesterday, after it made a statement to the effect that the Android mobile operating system has an innate flaw which renders users of the virtual currency exposed to potential theft.

The issue affects some Android "wallet" apps, the organisation said, including Bitcoin Wallet and BitcoinSpinner.

To protect an Android wallet, the developers have advised that users must update their applications once a new version becomes available.

The news came as a result of the New York Department of Financial Services (DFS) implementing a ruling yesterday that companies will be asked to provide with data and information, as they prepare to draft state guidelines on virtual currencies, in effect ordering companies to co-operate with a probe into the way Bitcoin is used.

laptop-thief

The DFS produced a draft memorandum, the final version of which is scheduled for release on Monday August 19, which states that “if virtual currencies remain a virtual Wild West for narcotraffickers and other criminals, that would not only threaten our country's national security, but also the very existence of the virtual currency industry as a legitimate business enterprise".

As is often the case in North America, consumer protection is at the root of this action. “We believe that, for a number of reasons, putting in place appropriate regulatory safeguards for virtual currencies will be beneficial to the long term strength of the virtual currency industry,” Benjamin Lawsky, head of the DFS, wrote in a drafted letter to the Wall Street Journal.

Encryption Fault Leads To Vulnerability

Bitcoin Foundation’s research into this matter concluded that the wallet’s susceptibility to being accessed by unauthorized users is as a result of the way that the Android operating system generates sequences of secure random numbers needed to keep the wallets safe.

Analysts discovered that Android's SecureRandom Java program sometimes repeats the number sequences, which must be unique in order to keep each Bitcoin secure.

Discussion among members of Bitcoin forum bitcointalk.org has included suggestions that the equivalent of thousands of US dollars may have already been stolen, although at the moment these are not substantiated.

Bitcoin Foundation’s statement on Sunday relating to this matter warned that "Because the problem lies with Android itself, this problem will affect you if you have a wallet generated by any Android application."

The issue affects only programs where the number sequences or private keys are controlled on the user's device.

For wallet applicationss that were vulnerable, Bitcoin Foundation said it would be necessary to change keys.

This process involves "generating a new address with a repaired random number generator and then sending all the money in your wallet back to yourself", according to the Bitcoin Founation statement.

Furthermore, some of the affected applications were in the process of updating their wallet apps to assist the rectification of the problem, including Bitcoin Wallet, BitcoinSpinner, Mycelium Wallet and Blockchain .info.

The BBC yesterday investigated this further and in conversing with a number of academics on this matter, found that the general consensus is that virtual currencies could face ongoing problems such as this due to the way that they have been designed.

Dr Joss Wright, a research fellow at the Oxford Internet Institute, explained to the BBC that cryptographers relied heavily on a computer's ability to generate random numbers in order to keep information secure. But, he added, that computers did not always do this reliably.

"Choosing good random numbers is the key issue," Dr Wright said. "If the random numbers can be predicted by somebody else, this could lead to all sorts of security problems."

It seems that when Brooks Stevens coined, if the pun can be excused, the phrase built-in obsolescence in 1954 he likely never imagined that it would half a century later not only refer to physical products, but virtual ones too.

About the Author: Andrew Saks McLeod
Andrew Saks McLeod
  • 661 Articles
About the Author: Andrew Saks McLeod
  • 661 Articles

More from the Author

CryptoCurrency

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}