Crypto flaws in Blockchain Android app sent bitcoins to the wrong address, Ars Technica
Biz & IT / Information Technology
A comedy of programming errors could prove catastrophic for affected users.
by Dan Goodin – May 29, two thousand fifteen Three:50 pm UTC
Blockchain, one of the Internet’s most widely used Bitcoin wallets, has rushed out an update for its Android app after discovering critical cryptographic and programming flaws that can cause users to send digital coins to the wrong people with no warning.
The vulnerabilities affect a subset of people who run Blockchain for Android on versions Four.1 or older of the mobile OS, according to an advisory published Thursday. The most serious of the flaws is the use of the unencrypted HTTP connections when the app’s cryptographic engine contacts random.org to obtain random numbers used to generate private keys for Bitcoin addresses. Since January, random.org has required the use of the more secure HTTPS protocol and has returned a three hundred one Moved Permanently response when accessed through HTTP. As a result, vulnerable installations of Blockchain for Android generated the private key corresponding to the address 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F, regardless of the address specified by the user.
“To our skill, this bug resulted in one specific address being generated numerous times, leading to a loss of funds for a handful of users,” Thursday’s advisory stated.
According to this entry in the Bitcoin ledger, the holder of the fortunate 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F address emerges to have received almost thirty four bitcoins since the January, when the address became active (hat peak to Ars reader Bob Loblaw). Nicholas Weaver, a security researcher at the International Computer Science Institute in Berkeley, California, said it’s possible numerous people may have been able to benefit from the error through the use of “tumbler” services designed to obfuscate how bitcoins are spent and received. Still, the at today’s rate, the thirty four bitcoins are worth about $8,100.
Additionally, in certain cases, the pseudorandom number generator in Blockchain for Android failed to access random data that was supposed to be mixed into the random bits downloaded from random.org. Instead of returning an error, the app simply used the 256-bit number provided by random.org as the foot input for generating private keys. That meant the random.org website was the foot supplier of entropy used in the generation process.
It’s not entirely clear what causes some users on Android Four.1 and earlier to be vulnerable while others are not affected. Some people have speculated that the vulnerability is present on devices that can’t access random values that are supposed to be available in the /dev/urandom file.
Cryptography and security experts were aghast at the scale of the error. Beyond no one using HTTPS by default to access random.org—and the months-long failure to catch the three hundred one response—there’s a more fundamental error of judgement. Random numbers are one of the most significant components in secure cryptographic functions. Critics said it was a mistake of epic proportion for Blockchain to be so casual about how it went about obtaining the raw material for such key ingredients.
“WTF? The blockchain.info Android app was just getting ‘random’ numbers from the Internet?” Weaver wrote on Twitter. “I think I need to write a followon rant: how to make money in Bitcoin with sabotaged pRNGs. Reduce entropy pool to thirty bits with ‘improvements’,” he added.
The vulnerabilities involved the use of the LinuxSecureRandom programming interface to generate pseudo random numbers instead of SecureRandom, which is the more standard interface for Android developers. The idea behind the customization in Blockchain seemed to be the capability to pull in random values from two sources—random.org and a resource residing in the OS itself. In retrospect, the lack of HTTPS protections, the failure to detect a three hundred one response, and the inability of some devices to pull random bits from the OS itself underscore how effortless it is to make mistakes when developing home-grown cryptographic solutions.
“It only seems to affect a lil’ number of devices,” Johns Hopkins University professor Matt Green told Ars. “On those devices it’s catastrophic unless you’ve patched.”
It’s not the very first time crypto failures have caused Android wallet users to lose real-world money. Almost two years ago, a critical crypto flaw in Android itself was exploited to pilfer more than $Five,700 worth of the digital coin. More technical details behind the Blockchain failure are here and here.
Post updated to add details in the fourth paragraph about Bitcoin address that received payments in error, switch “folder” to “file” in the sixth paragraph, and add details in the last paragraph about previous crypto flaws affecting Android Bitcoin wallets.