12 Aug. 2013 by Jasper Bakker
12 Aug. 2013 by Jasper Bakker
News – A vulnerability in the random number generator makes Android apps vulnerable who create Bitcoins. The virtual currency can be stolen. The created and used keys must be replaced.
Makers Bitcoin Apps for Android already working on updates. Those arriving later versions of the Bitcoin miners-confidence will no longer create the random numbers on the Android proved unreliable function. The vulnerability in that component of Google’s mobile operating system ensures that private keys created for Bitcoin transactions are out.
hijacking of private keys
virtual currency Bitcoin uses of public and private encryption keys to sign transactions. The security of this transaction system is built that each address for the exchange of Bitcoins has its own private key. That key is known only to the owner of that address, the holder of the Bitcoin wallet. As an outsider such private key gets owned, can “catch” the Bitcoins that there are sent, explains digital currency site The Genesis Block out.
noted that not all Bitcoin Apps by definition susceptible to this vulnerability Android. That hole does not apply to apps that do not themselves create private keys via the mobile operating system. Some apps in any case be vulnerable: Bitcoin Wallet, blockchain.info wallet, BitcoinSpinner and Mycelium Wallet
.
forum site Bitcointalk notify all users that ensure 55 Bitcoins were stolen. That would be done by abuse of this vulnerability in Android. An initial analysis has namely been shown that there is reuse of a random number. The Android-hole comes into the picture because the theft of virtual currency occurs with different apps.
‘Hole is greater than Bitcoin’
A German hacker, Frank Rieger, says on Twitter that the impact of this Android error is greater than theft of Bitcoins. Many Android apps that use encryption, should be checked and need possible patches he says. Rieger while linking to a summary of a technical paper dating back to March of this year.
It put security researchers Kai Michaelis, Jörg Schwenk and Chris Meyer explained that they found in the Pseudo Random Number Generators (PRNG) that are in use on Java vulnerabilities. The Java platform also covers Android that since Google’s Dalvik Java branch used to run apps.
General Java Problem
The researchers have the Java libraries Apache Harmony, GNU Classpath, OpenJDK and The Legion of Bouncy Castle felt the tooth. Their conclusion is: “Do not use PRNG’s as good random nature is required”. Michaelis, Schwenk and Meyer have already presented their findings at the end of February meeting security RSA Conference with subject: Randomly Failed! The State of Randomness in Current Java Implementations.
Hacker Frank Rieger refers to research about this vulnerability the end of February this year has already come to light:
Featured downloads
BYOD, Android and Windows 8
Download
What are the hot topics of European IT Executives? Read discussions on IT transformation.
Social media risks for business data Download
Vulnerability of social media sites on company data is underestimated. Read more …
No comments:
Post a Comment