All Android-created Bitcoin wallets Are Belong to Us

This seems like a bad thing and given that I have distaste for Java I can safely say that this is a problem created by Java developers lazy in their coding standards or done on purpose to rule the world and take advantage of non-elitists who know not better.  Which would be just as bad. released a security advisory over the weekend warning the Bitcoin community that any Bitcoin wallet generated on any Android device is insecure and open to theft. The insecurity appears to stem from a flaw in the Android Java SecureRandom class, which under certain circumstances can produce numbers that aren't truly nondeterministic. This can allow an attacker to work out a victim's cryptographic private key. Private keys are used to sign Bitcoin transactions; if an attacker has a victim's private key, the attacker can execute Bitcoin transactions as if he were that person.

So far, it appears that the vulnerability has been used to steal at least 55 BTC (approximately $5,720 as of this morning).

The first paragraph in the Ars article tells all and is one reason why Open Source software is good but can also be bad.  I'm sure by now the company has issued a security update but, if memory serves, once the Bitcoint wallet has been created the only way to change it would be to create a new one and move the money. 

Seems the thieves have beat them to the punch.  Or, maybe this is a Superman 3 sort of scam, either way.  Go Java! 

Related Web URL:


comments powered by Disqus