Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google Admits Bitcoin Thieves Exploited Android Crypto PRNG Flaw

timothy posted about a year ago | from the oopsie dept.

Bitcoin 183

rjmarvin writes "The theft of 55 Bitcoins, or about $5,720, through Android wallet apps last week was made possible because of flaws in Android's Java and OpenSSL crypto PRNG, Google revealed in a blog post. In the wake of a Bitcoin security advisory and a Symantec vulnerability report, the Android Developers Blog admitted the reason the thieves were able to pilfer their wallet apps. The flaws are already, or in the process of being repaired."

Sorry! There are no comments related to the filter you selected.

Where is Tuppe666? (-1)

Anonymous Coward | about a year ago | (#44575405)

Where is Tuppe666 to tell us how Google is good for letting this flaw go unfixed for so long.

Re:Where is Tuppe666? (1, Insightful)

Jeremiah Cornelius (137) | about a year ago | (#44575999)

BitCoin, SchmitCoin!

If this is the kind of stunt being pulled off, it a'int no BitCoin that I worry about.

GooglePay from Android phones. There's where you can make your pennyshaving pay big rewards.

I would run over my phone with a truck, before trusting Android with real account information.

Already or in the process of being repaired (-1, Flamebait)

BitZtream (692029) | about a year ago | (#44575409)

So what that means is that they aren't repaired, and they will start working on it at some point. Thats a ridiculously wishy-washy statement that has no actual meaning.

This is what you get for playing with bit coin. When are you going to learn?

Re:Already or in the process of being repaired (5, Interesting)

gstoddart (321705) | about a year ago | (#44575513)

This is what you get for playing with bit coin. When are you going to learn?

You know, it's not even bitcoin.

Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android are also affected

The entire crypto on the platform is vulnerable from the looks of it.

So, I would assume if there were other digital wallet type things on Android, they would be subject to the exact same vulnerability.

Re:Already or in the process of being repaired (0)

Anonymous Coward | about a year ago | (#44575729)

The bitcoin wallets were already fixed. Now the problem is with everything else...

Re:Already or in the process of being repaired (1)

Anonymous Coward | about a year ago | (#44575819)

Including the majority of Android phones, which won't ever be upgraded due to stupid carriers.

Including most being sold today.

#Winning

Re:Already or in the process of being repaired (1, Funny)

Anonymous Coward | about a year ago | (#44575855)

It's okay though, with Android you can just write your own PRNG and change all the other software to use it, then you'll be good to go.

Re:Already or in the process of being repaired (2)

rtfa-troll (1340807) | about a year ago | (#44576735)

It's okay though, with Android you can just write your own PRNG and change all the other software to use it, then you'll be good to go.

It's even better than that though. You can write it; but Google carefully thought to protect you from actually deploying it by putting Android under the Apache license which means that your phone manufacturer can lock down your bootloader to protect you from actually changing anything. Just think of all the people who might end up putting insecure random number generators into their phone and screwing their security if Google had used, for example, the GPLv3.

All hail the all knowing and all wise Google.

(I will admit that at least Google's own Nexus devices don't really do this; but why spoil a good rant with facts.. )

Re:Already or in the process of being repaired (1, Informative)

Bam_Thwok (2625953) | about a year ago | (#44575947)

I assure you, he was casting aspersions on all digital wallet type things, not just bitcoin. Bitcoin advocates love to tout how awesomely anonymous and secure and perfect and futuristic it is. Then scams and simple robberies like this happen all the time, and normal people say "caveat emptor, you fool" while the mouthbreathers insist that "It's not a problem with BITCOIN per se! Bitcoin is still great! Bittcoin 4eva!"

Re:Already or in the process of being repaired (0)

Anonymous Coward | about a year ago | (#44576001)

Bitcoin is pretty awesome/interesting. Its experimental as well, so of course there will be bumps in the road. This is the first time open source beat closed source to a market, stop hating on it.

Re:Already or in the process of being repaired (1)

Anonymous Coward | about a year ago | (#44576319)

Bitcoin is pretty awesome/interesting.

Yeah, so what? Some people think basket weaving is awesome/interesting.

This is the first time open source beat closed source to a market, stop hating on it.

On something a majority of people wisely don't use or care about. But, yes, continue to pay yourself on the back.

Re:Already or in the process of being repaired (1)

K. S. Kyosuke (729550) | about a year ago | (#44576663)

Yeah, so what? Some people think basket weaving is awesome/interesting.

That's probably because it is.

Re:Already or in the process of being repaired (1)

Bam_Thwok (2625953) | about a year ago | (#44576625)

I'll give you that it's interesting. I wouldn't call it awesome, except to say that I'm often awestruck at how relentlessly unscrupulous the bitcoin community remains at every turn. What market is it, exactly, that bitcoin is first to? It's not the first currency to be exchanged nor stored anonymously. It's not the first solution for online person to person or e-commerce payments. It's not the first virtual currency to be exchangeable for real money. Etc. What has bitcoin done besides assert its own value on the premise that it will somehow be the future of worldwide finance?

Re:Already or in the process of being repaired (2)

Jeff Flanagan (2981883) | about a year ago | (#44575795)

No, it means that devs jumped on the problem as soon as it was revealed, and at least the Android wallet I use has already been patched, and a new bitcoin address automatically created to secure my precious .0006BTC. I assume that's the case for most, if not all, Android wallets.

Nothing you said was true. so you might want to consider the possibility that you don't know what you're talking about and are spreading FUD.

Re:Already or in the process of being repaired (0)

Anonymous Coward | about a year ago | (#44575943)

So what that means is that they aren't repaired, and they will start working on it at some point. Thats a ridiculously wishy-washy statement that has no actual meaning.

This is what you get for playing with bit coin. When are you going to learn?

The articles says "flaws". That's plural, as in more than 1 flaw. So some of them have already been patched, others are currently being patched. It's really not that difficult to understand the meaning. The only thing wishy-washy is your attention span.

Re:Already or in the process of being repaired (0)

smooth wombat (796938) | about a year ago | (#44576261)

This is Google we're talking about. The company which openly says you have no privacy.

This is more proof of their stance.

How does this get fixed? (4, Insightful)

mveloso (325617) | about a year ago | (#44575411)

Is it up to the OEM to backport the patch to all the various android versions that they have? If so, this vulnerability will live forever.

It's like google and its partners are building this huge botnet of vulnerable devices. Every year it gets bigger.

Re:How does this get fixed? (0)

Anonymous Coward | about a year ago | (#44575501)

What's most hilarious is the recommended workaround: Seed the "SecureRandom" class with random numbers from /dev/urandom. Seriously? Why wouldn't you just use /dev/urandom (or better, /dev/random) instead? More layers for more chances to fuck it up?

Re:How does this get fixed? (1)

FrangoAssado (561740) | about a year ago | (#44575669)

It's much easier and foolproof to fix SecureRandom than to find and change every piece of code (including libraries which many people have no control over) that uses SecureRandom.

Re:How does this get fixed? (0)

Anonymous Coward | about a year ago | (#44575799)

IANAP, and I definitely don't do it on Android but as a layman, I don't think you get the question. Say I was writing a brand new program that needed random numbers. Why would I use SecureRandom instead of just getting the numbers from /dev/urandom? Judging by the workaround, programmers can use either one so what benefit does SecureRandom have?

Re:How does this get fixed? (1)

FrangoAssado (561740) | about a year ago | (#44576215)

SecureRandom has the benefit of being the standard way of generating random numbers for use in cryptography in Java. Why do it differently when you can do it the standard way (where you can re-use the code later, if opportunity arises)?

On the other hand, "use /dev/random instead" is not good advice for people who already have working code (possibly in libraries) that uses SecureRandom. The solution given in that blog post is very simple: "Add this class to your android project and stick PRNGFixes.apply(); on your main acvitity's onCreate()." That's a guaranteed fix regardless of whether you're starting a new project or already have working code, and will fix code in libraries you might not even realize are using SecureRandom.

Re:How does this get fixed? (0)

Anonymous Coward | about a year ago | (#44576259)

IANAP, and I definitely don't do it on Android but as a layman, I don't think you get the question. Say I was writing a brand new program that needed random numbers. Why would I use SecureRandom instead of just getting the numbers from /dev/urandom? Judging by the workaround, programmers can use either one so what benefit does SecureRandom have?

Due to this thing called OOP, SecureRandom is the class that other APIs expect. People shouldn't write their own encryption, because even very smart people frequently screw it up. You use a set of defined libraries and best practices. When there's a bug in the library you update to the fixed library, problem solved.

Most people will still screw things up, for example using ECB mode instead of knowing when they should switch to CBC mode (hint: nearly always, and if you don't know when you shouldn't use CBC, just use it, you'll be wrong less often).

This stuff is incredibly hard, you do not roll your own. Finally, while the result of /dev/urandom is good for a seed, you can't exactly use it for a key for example.

Re:How does this get fixed? (0)

Anonymous Coward | about a year ago | (#44575773)

Because when you want to simulating rolling a 6 sided die getting raw bits from /dev/random doesn't work so well.

The sane thing is for those making Java to use stuff like /dev/urandom and for those using Java to use SecureRandom. That is assuming there aren't further weaknesses in SecureRandom...

Wasn't Java open? Yet more proof that many eyes does not make security bugs shallow ;).

Re:How does this get fixed? (0)

Anonymous Coward | about a year ago | (#44576303)

Because when you want to simulating rolling a 6 sided die getting raw bits from /dev/random doesn't work so well.

The sane thing is for those making Java to use stuff like /dev/urandom and for those using Java to use SecureRandom. That is assuming there aren't further weaknesses in SecureRandom...

Wasn't Java open? Yet more proof that many eyes does not make security bugs shallow ;).

Java is open and the bug is in a particular implementation called Dalvik that Google wrote. The Oracle JDK does not have this problem. And security is hard, remember the Debian debacle when they commented out the seed because of the valgrind error? That guy actually asked if anyone saw a problem with it on the mailing list, only one person responded (and that person didn't understand the issue either, given their incorrect response).

This stuff is harder than most people think it is.

Re:How does this get fixed? (4, Informative)

Tailhook (98486) | about a year ago | (#44576113)

Why wouldn't you just use /dev/urandom (or better, /dev/random) instead? More layers for more chances to fuck it up?

This is ignorant and needs to be called out.

/dev/(u)random draw on a finite entropy pool. The pool is easily depleted. When there is too little entropy /dev/random blocks on read(2), ruining performance, and /dev/urandom output is cryptographically compromised. From random(4):

The kernel random-number generator is designed to produce a small amount of high-quality seed material to seed a cryptographic pseudo-random number generator (CPRNG). It is designed for security, not speed, and is poorly suited to generating large amounts of random data. Users should be very economical in the amount of seed material that they read from /dev/urandom (and /dev/random); unnecessarily reading large quantities of data from this device will have a negative impact on other users of the device.

Initializing a CSPRNG such as SecureRandom is exactly the intended purpose of /dev/(u)random.

Cryptography does not belong in the hands of second string hacks like the parent AC. It is possible that /dev/(u)random is a bit too easily abused by fools.

Re:How does this get fixed? (0)

Anonymous Coward | about a year ago | (#44576241)

/dev/urandom is itself a pseudo-random number generator. Random numbers for cryptographic applications should be random, not pseudo-random. Yes, on many systems, actual randomness is scarce and should not be used where it isn't needed. On the other hand, when you need randomness, don't settle for pseudo-randomness.

Re:How does this get fixed? (1)

retchdog (1319261) | about a year ago | (#44576569)

Has there yet been an actual attack on a high-quality prng (which didn't rely on implementation bugs)?

All I know is that there are several theoretical prngs where predicting the output sequence is NP-hard under the usual crypto assumptions, but I don't know if they are used in practice.

Re:How does this get fixed? (0)

ADRA (37398) | about a year ago | (#44575559)

Its not Microsoft's fault when someone discovers an exploit in Windows 95 and it isn't Google's fault when someone finds faults in unsupported OS's. Smart phones may have faster rev's but they also have shorter shelf lives. Ultimately its the consumer to take the final responsibility for what they do with their devices, and the blame slides away from there.

I've used google experience phones from day 1 most notably because I know fixes and improvements will be dealt with long into the future. I can't guarantee the same for manufactuers who's bottom line is in direct opposition to maintaining multi-year old devices.

Re:How does this get fixed? (1)

gstoddart (321705) | about a year ago | (#44575647)

I can't guarantee the same for manufactuers who's bottom line is in direct opposition to maintaining multi-year old devices.

Which is why, as much as Android is a cool platform, the fragmentation it has gone through has made so many variations as to mean only a small set at any given time have all of the needed updates.

I can almost guarantee you, most cell phone carriers are still selling devices with ancient versions of Android -- and neither the carrier nor the manufacturer gives a damn, they just want you to buy another device. When I was getting my current cell phone, they had plenty of Samsung devices running Android 2.x or something, and one lower-spec HTC which was running 4.x and could be upgraded.

Which is why I decided when I was in the market for an Android tablet to go with the Nexus, because those have the best possible chance of getting updates to fix stuff like this.

Re:How does this get fixed? (1)

spire3661 (1038968) | about a year ago | (#44575685)

MetroPCS will happily sell you a BRAND-NEW Android 2.3 device right now.

Re:How does this get fixed? (3, Insightful)

gstoddart (321705) | about a year ago | (#44575747)

MetroPCS will happily sell you a BRAND-NEW Android 2.3 device right now.

Which to me pokes holes in the theory this is up to the consumer to be responsible for.

The vast majority of people looking to buy a smart phone won't likely know much about what versions of the OS the phone is running.

It's like selling a product you know might catch fire and kill someone -- you can't just say it's up to the consumer to not buy that model.

Re:How does this get fixed? (0)

Anonymous Coward | about a year ago | (#44575833)

Which will never be upgraded.

Thanks Google & carriers!

Re:How does this get fixed? (1)

petsounds (593538) | about a year ago | (#44575879)

Its not Microsoft's fault when someone discovers an exploit in Windows 95

Fault? No, it's definitely Microsoft's fault. They wrote the exploitable code. The duty, legal obligation, sense of honor, or whatever that applies, well that's a different story.

In Google's case, it looks like this is part of the Java stack. No mention of whether this is an exploitable vector in other Java environments. IMO, part of their Android licensing terms should include the mandatory application of security hotfixes by third party vendors, as provided by Google.

Re:How does this get fixed? (5, Informative)

Baloroth (2370816) | about a year ago | (#44575605)

The flaw can be fixed at the application level by manually initializing the PRNG with entropy from /dev/random or /dev/urandom (the built-in tool wasn't doing that properly unless explicitly told to, hence the vulnerability). Some apps will already be immune, and the rest can be patched to fix the problem. An update to Android proper is not required, unless the app isn't updated for some reason (in which case, find a new wallet).

Re:How does this get fixed? (2)

petermgreen (876956) | about a year ago | (#44575639)

I would expect a two pronged attack on this with both a system side fix (for devices that are still getting updates) and application side fixes as app developers try to cover their users regardless of what version of andriod they are using.

Users using non-market apps or apps from vendors who don't get the memo on smartphones that are no longer getting updates will of course be SOL.

Re:How does this get fixed? (0)

Anonymous Coward | about a year ago | (#44575865)

Users using non-market apps or apps from vendors who don't get the memo on smartphones that are no longer getting updates will of course be SOL.

So, about 95% of Android users?

Re:How does this get fixed? (2)

petermgreen (876956) | about a year ago | (#44575979)

According to the google blog post* the built in SSL stuff is fortunately not affected. So apps that simply act as clients over SSL should be fine. How many applications are there really that need crypto and/or secure random numbers other than SSL. I would think not that many and I would hope that most reputable designers of such applications would have heard about this and be working on an application side fix by now.

* http://android-developers.blogspot.co.uk/2013/08/some-securerandom-thoughts.html [blogspot.co.uk]

Re:How does this get fixed? (1)

Sir_Sri (199544) | about a year ago | (#44576213)

If only I could give you mod points.

This is without a doubt the big weakness in the android and windows phone markets. People will find exploits in your software, that's inevitable. But this problem of not being able to get updates unless you know how to root your phone and install a new build is just not going to work going forward. We cannot have a computing ecosystem where you cannot get updates unless you have significant technical skill to install them. It's just not going to work and it's going to cost a lot of people a lot of money.

When MS entered the market with WP8 they should have said 'no carrier interference' like Apple does. I can see Google was trying to be carrier friendly to win marketshare at the time, but this system is not sustainable.

Sorry, honest mistake (0)

Anonymous Coward | about a year ago | (#44575425)

Google really had no incentive to screw up the random number generator that would be used by every crypto app on the platform. There are no backdoors, only honest mistakes and bugs.

Too many insecure systems ... (4, Insightful)

gstoddart (321705) | about a year ago | (#44575429)

This is why I wouldn't ever consider having my cell phone be something which can directly access my money.

I don't trust the makers to competently build in security, and I believe that once everyone knows your cell phone is likely to be tied to your bank account, it's a soft target.

They keep trying to find new ways to make it more 'convenient' to use these things to spend money, but 'convenient' in this case means insecure and fraught with privacy issues (and extra service fees if they can get away with it).

Same with that tap to pay mechanism ... wow, you mean anybody with my physical card can spend my money without authorization? Gee, sign me up for that.

Tech companies want to make a product or app for pretty much everything -- and a lot of them I find myself asking "who would want that?".

Now, mind the steps while you're leaving my lawn, and don't trip on the sprinkler.

Re:Too many insecure systems ... (0)

Anonymous Coward | about a year ago | (#44575741)

You don't even have to sign for a lot of transactions now. Home Depot $50, Publix supermarket $25 are two examples I get regularly.

Re:Too many insecure systems ... (0)

Anonymous Coward | about a year ago | (#44576255)

You don't even have to sign for a lot of transactions now. Home Depot $50, Publix supermarket $25 are two examples I get regularly.

At Costco, I've spent almost $200 without having to sign.

Caution is never bad (1)

sjbe (173966) | about a year ago | (#44576033)

I don't trust the makers to competently build in security, and I believe that once everyone knows your cell phone is likely to be tied to your bank account, it's a soft target.

A sensible and cautious approach. However it isn't all doom and gloom. To encourage customers to use online banking the banks largely have indemnified users against loss due to unauthorized access. The details vary but you typically can get your money back because it is insured or guaranteed by the bank. Might cause a lot of inconvenience but it's doable. It's not really any more or less secure than accessing your bank through a web browser on a PC. Not to say you couldn't be hacked or have some problems but in practical terms it is a manageable problem in practice.

Frankly the soft target isn't your phone, it is your online user name and password. THAT is the point where most people fall down. Why bother breaking they crypto when you can just social engineer or guess your way into the account? Not to say you shouldn't be concerned about the strength of the crypto but it's not what keeps me up at night.

That said if you have an account with a lot of money in it, it isn't a bad idea to isolate that account from the web if practical. You really only need access to a relatively small amount of cash at any given time so why give online thieves an opportunity if you don't truly need online access to the account? I also think debit cards are the work of the devil. A credit card is fine and an ATM card is ok but debit cards are WAY too easy to abuse. If you have a credit card I cannot fathom why you would ever use a debit card.

Re:Too many insecure systems ... (0)

Anonymous Coward | about a year ago | (#44576141)

Same with that tap to pay mechanism ... wow, you mean anybody with my physical card can spend my money without authorization? Gee, sign me up for that.

What difference does it make? I very rarely have anyone look at my signature and compare it to the card. Occasionally, cashiers will ask to look at my drivers license, but not often (and amusingly, asking to see ID if the back of the card is already signed is actually in violation of most merchant agreements).

Re:Too many insecure systems ... (0)

Anonymous Coward | about a year ago | (#44576459)

This is why I wouldn't ever consider having my cell phone be something which can directly access my money.

I agree 100.0% _COMPLETELY_. It's sure as hell not an online wallet, it's a PHONE. I'm upset that if anyone breaks in they can get to my email which contains ONLY EMAIL INFO ALERTS on my billpay status. ("Entergy is billing you $40 this month, will autopay 5 day before due.") I don't want them to even see THAT, and there's no account info or nothing actually there.

    Never mind an actual account statement.

NFC this [wikipedia.org] !! (Hmmm, now where *DID* gotse wonder off to? ;-) )

Still only one of 360,000 apps (3, Informative)

sl4shd0rk (755837) | about a year ago | (#44575511)

FTFA: security researchers from Symantec issued a report on upwards of 360,000 apps using the SecureRandom class, containing the PRNG flaw in Bitcoinâ(TM)s Elliptic Curve Digital Signature Algorithm (ECDSA).

May give a potential indication at the sheer number of applications affected by this exploit (which is programmer negligence apparently). Drilling into the Symantec article reveals how they arrived at that number.

we have found over 360,000 applications that make use of SecureRandom and over 320,000 of them use SecureRandom in the same way the bitcoin wallets did (they did not call setSeed).

Re:Still only one of 360,000 apps (1)

Anonymous Coward | about a year ago | (#44575641)

Knowing Symantec and security firms in general, they checked 8 applications, found 4 using SecureRandom and 3 without setSeed, and then did a bit of extrapolation.

Srsly, there's ~700-800k Android apps in total and they mean to say each one in two required cryptographic random?.. Think of all those fart apps that have an (extremely long but) predictable sequence of farts instead of true random!

PS: Don't take me wrong, that's a huge security bug, I just hate usual security researchers you-should-totally-buy-our-products-and-services-because-it's-scary-out-there stats.

Re:Still only one of 360,000 apps (4, Informative)

GoogleShill (2732413) | about a year ago | (#44575671)

It isn't programmer negligence in this case, it's the underlying Android implementation. The default constructor is supposed to seed the generator with secure entropy. Conversely, setSeed() is considered insecure and not recommended.

See SecureRandom [android.com]

What about banking sites? (0)

Anonymous Coward | about a year ago | (#44575515)

Everyone is focused on BitCoin, but did this flaw also weaken SSL connections?

Re:What about banking sites? (0)

Anonymous Coward | about a year ago | (#44575675)

It's an RTFA-hard question there!

Applications that establish TLS/SSL connections using the HttpClient and java.net classes are not affected as those classes do seed the OpenSSL PRNG with values from /dev/urandom

Re:What about banking sites? (1)

petermgreen (876956) | about a year ago | (#44575813)

According to http://android-developers.blogspot.co.uk/2013/08/some-securerandom-thoughts.html [blogspot.co.uk]

"Applications that establish TLS/SSL connections using the HttpClient and java.net classes are not affected as those classes do seed the OpenSSL PRNG with values from /dev/urandom."

Re:What about banking sites? (1)

gweihir (88907) | about a year ago | (#44575895)

Yes. Everything using Java SecureRandom() on Android is potentially broken.

Re:What about banking sites? (1)

NatasRevol (731260) | about a year ago | (#44575949)

I think you could have left out the word 'potentially'.

Re:What about banking sites? (1)

gweihir (88907) | about a year ago | (#44576059)

Actually, if you seed SecureRandom() (and hence the OpenSSL CPRNG) right, SecureRandom() is perfectly fine. It seems however that the SecureRandom() documentation sucks badly and does not make it clear enough that the resulting random numbers will be unsuitable for cryptographic use unless seeded with enough random bits using setSeed(). To make matters worse, the example given in the documentation implies this is not needed. Hence if people use the example for "typical" use, they will be insecure. Quite frankly, this broken class documentation is an accident waiting to happen. And now it has happened.

Of course, this is very bad. It also implies that many people using SecureRandom() have no clue how to use it right. And that is fatal for security.

Someone is gonna say, "I told you so..." (1)

bogaboga (793279) | about a year ago | (#44575525)

I applaud Google's admission, but sad to note that that the argument will embolden those who've been touting the "fact" [sophos.com] that iOS is more secure than Android.

I guess one cannot be blamed for saying, "So much for the so called secure open nature of Android."

It just doesn't seem to work...or does it?

Re:Someone is gonna say, "I told you so..." (1)

jonyen (2633919) | about a year ago | (#44575663)

It's going to take some time. Bitcoin has only been around since 2009. I feel pretty comfortable about doing online banking and using PayPal now, but it took a while to get to that stage. Even before the age of the Internet, there were problems with banking and check scams (ever see "Catch Me If You Can"?). Nothing is ever going to be 100% secure. There's going to be pros and cons to any financial system.

Re:Someone is gonna say, "I told you so..." (2)

aynoknman (1071612) | about a year ago | (#44575885)

There's going to be pros and cons to any financial system.

Problem is that the cons keep getting more and more pro.

Re:Someone is gonna say, "I told you so..." (1)

RoknrolZombie (2504888) | about a year ago | (#44576265)

...and then they enter politics.

Re:Someone is gonna say, "I told you so..." (3, Informative)

petermgreen (876956) | about a year ago | (#44575889)

One big security problem with andriod is the distribution model. Google makes andriod and distributes it to their OEM partners (and to the general public though sometimes with a delay). The OEMs then customise it and pass it on to their users and in most cases (nexus excepted) all updates go through the OEM.

The result is you get the situation of there being lots of older smartphones out there that are still perfectly usable but are no longer able to receive security updates in the regular manner because the OEM can no longer be bothered updating them. Sometimes it's possible to unlock the bootloader and install an unofficial build but that is at best something that requires you to be fairly technical and at worst something where even a computer expert like me can find myself in a dead end*.

* For example htc officially offers a bootloader unlock process but when I tried it on my brother's old wildfire the software version on it was too new to apply the RUU needed for the bootloader unlock process.

Bring in the regulators! (4, Funny)

meta-monkey (321000) | about a year ago | (#44575631)

I'm so glad they're going to start regulating bitcoin. I mean, somebody ran off with $5,720! Monstrous!

That's why I keep my money in safe, secure U.S. dollars and in the stock market, where you don't have to worry about dangerous criminals absconding with your savings.

Re:Bring in the regulators! (1)

Linsaran (728833) | about a year ago | (#44576407)

I prefer to keep it in pure gold pressed latinum, the stock market is only good until the collapse of society, latinum is forever.

Re:Bring in the regulators! (1)

steelfood (895457) | about a year ago | (#44576623)

That $5720 might not buy you a loaf of bread in 50 years, but it'll still be $5720 and not a cent less.

Why is the industry still using pseudo-randoms? (4, Insightful)

MrKevvy (85565) | about a year ago | (#44575645)

True random numbers are as simple as a reversed Zener diode connected to an A/D converter... quantum tunneling across the diode creates truly random signal, equivalent to thermal noise.

So why isn't every CPU nowadays equipped with this, so that the RND function is done in hardware?

Re:Why is the industry still using pseudo-randoms? (0)

Anonymous Coward | about a year ago | (#44575765)

Speed of generation.

Re:Why is the industry still using pseudo-randoms? (1)

MrKevvy (85565) | about a year ago | (#44575821)

"Speed of generation."

I'm willing to bet hardware RNG is still several orders of magnitude faster than "move your mouse randomly" takes.

Re:Why is the industry still using pseudo-randoms? (0)

Anonymous Coward | about a year ago | (#44575921)

It had to nix'ed after the avalanche breakdown took out a troop of boy scouts during a ski trip.

Re:Why is the industry still using pseudo-randoms? (3)

gweihir (88907) | about a year ago | (#44575891)

You ask the wrong question. Many embedded CPUs have these devices and with a driver, the Linux kernel uses them. But when the application designers chose to ignore /dev/random (where the kernel exposes its entropy collection), then no amount of good randomness provided by the kernel will help. Incidentally, /dev/random is very good even without hardware RNG, in certain situations you may just have to wait a bit.

The second problem here was that the OpenSSL CPRNG is by its design very much dependent on a good initialization. This is not an obscure or hidden fact, but apparently Google had no competent security people on this project and did not ask any competent 3rd party for an independent review.

Re:Why is the industry still using pseudo-randoms? (1)

Anonymous Coward | about a year ago | (#44576049)

OpenSSL is a very convoluted library which evolved organically. Few people understand how to use it properly.

But I'm guessing the problem here is that OpenSSL's PRNG, even though it is effectively a global singleton, must be _manually_ initialized by the process. It doesn't have automatic load-time initialization, probably because there's no portable way to do this in C (Linux and most BSDs support it, but not Solaris AFAIK, and in any event that only works if it's compiled as a dynamic library).

Even though OpenSSL is a giant PITA, it's still the best thing out there because it's constantly being developed and is kept fairly up-to-date with the latest standards and algorithms. Apple decided to deprecate OpenSSL because of some dubious reasoning about ABI compatibility, and yet over 7 years later they have nothing that comes close to matching the breadth and depth of the OpenSSL API.

Re:Why is the industry still using pseudo-randoms? (1)

WaffleMonster (969671) | about a year ago | (#44576247)

OpenSSL is a very convoluted library which evolved organically. Few people understand how to use it properly.

Google peeps regularly contribute significantly to the OpenSSL project. I find it hard to accept this as an excuse.

But I'm guessing the problem here is that OpenSSL's PRNG, even though it is effectively a global singleton, must be _manually_ initialized by the process.

While this used to be the case a long long while ago it has not been true since 0.9.7. Any reasonably current version of openssl (e.g. any version without known vulnerabilities) automatically handles this for you by sucking from /dev/urandom, CryptGenRandom(), etc as needed on major platforms.

I fail to comphrend WTF is going on here. Is /dev/urandom broke? Are they using an ancient version/fork of openssl? Are they actively seeding the PRNG with predictable garbage when it is not necessary? Either way faulting OpenSSL seems out of line to me.

Re:Why is the industry still using pseudo-randoms? (1)

gweihir (88907) | about a year ago | (#44576329)

You are right that OpenSSL must be manually seeded and that there really is no way around that. But seeding a CPRNG is a difficult thing and any competent user of cryptography will pay special attention to it. I think however, the problem is that when the Java SecureRandom() is used before being seeded, it "self-seeds" and the Java documentation makes no claim at all about the quality of that seeding. True, Google could have made sure to seed from /dev/urandom in this case to protect the unwary. Also true, the documentation of SecureRandom() could have avoided giving example code that use the self-seeding. And Sun/Oracle could have required that self-seeding _must_ be secure or fail with an exception.

In the end, I think the real root-cause is a convoluted, hard-to-understand API documentation for SecureRandom(), including a misleading example, that is very, very hard to understand for anybody not experienced in the use of cryptography. If they just had said "seed this with enough unpredictable bytes or be insecure" that would probably already have been enough. They did not or rather they did, but not in a way that is clear.

Re:Why is the industry still using pseudo-randoms? (1)

steelfood (895457) | about a year ago | (#44576659)

Google had no competent security people on this project and did not ask any competent 3rd party for an independent review.

What does Google care about the security of your data? They have it all anyway.

Great! (0)

Anonymous Coward | about a year ago | (#44575691)

...and will reach the majority of Android users in the next 3-5 years.

Re:Great! (1)

bobbied (2522392) | about a year ago | (#44575749)

... Once they upgrade their current device...

Re:Great! (0)

Anonymous Coward | about a year ago | (#44576153)

Bwhahahahahahahha!

Upgrade how?!?!?!?

Re: Great! (0)

Anonymous Coward | about a year ago | (#44576497)

Obviously the advantage with iOS devices from Apple is that Apple forces an annual update, by abandoning their older hardware after about a year.

Obligatory... (0)

Anonymous Coward | about a year ago | (#44575725)

...and nothing of value was lost.

Better to not trust (1, Interesting)

m.dillon (147925) | about a year ago | (#44575737)

Hence why all my Android and iOS devices run a VPN (using the OpenVPN app which works great on both). Of course, the network at the VPN end-point isn't necessarily more secure, but it will be far more secure than all the networks in-between.

The real question here is... will Google at LEAST update all the phones and pads under their own control? Motorola and Nexus updates, please!

-Matt

Re:Better to not trust (1)

Anonymous Coward | about a year ago | (#44576275)

Running your devices through a VPN will do literally nothing to solve this particular problem.

DANGER: DO NOT ALLOW AD BROKERS TO DO YOUR OS !! (1)

Anonymous Coward | about a year ago | (#44575759)

You can only blame yourselves !! Leave OS design and implementation to the professionals; there is only one name that can be trusted: MicroSoft !!

Any relation to Seeder (1)

SleepyHappyDoc (813919) | about a year ago | (#44575817)

Someone released an app on XDA, called Seeder, that purports to create entropy to seed the random number generator. Does this have anything to do with that app, or the bug that prompted the developer to write it? I remember when people were discussing the original app (which some people say only has a placebo effect), and they were saying it had security implications...does it make this problem worse or better?

Amateurs. OpenSSL is _not_ the problem. (4, Insightful)

gweihir (88907) | about a year ago | (#44575845)

This is not an OpenSSL-flaw. Proper initialization of a CPRNG is critical and the OpenSSL documentation states that. The choice of OpenSSL is however especially bad with a bad initialization, as the OpenSSL CPRNG does not continue to seed the generator with additional entropy during its operation, unlike /dev/random or /dev/urandom. Google messed up spectacularly in two regards:

1. They had nobody that understood secure random number generation on the team
2. They did not have their solution independently reviewed by a competent 3rd party

They also selected a CPRNG especially vulnerable to bad seeding and did not use a source of good seeding readily available.

These mistakes are on low amateur level when implementing cryptographic functionality. The dangers of bad CPRNG seeding have been well understood for decades. This looks like the all-to-often found mixture of incompetence and arrogance.

Re:Amateurs. OpenSSL is _not_ the problem. (0)

Anonymous Coward | about a year ago | (#44575977)

Consider the possibility that they had their "solution" approved by external consultants who know everything there is to know about random numbers and how they pertain to cryptographic systems and their strength, or lack thereof.

Re:Amateurs. OpenSSL is _not_ the problem. (1)

gweihir (88907) | about a year ago | (#44576125)

Well, in that case they have no clue and their 3rd party had no clue. Hardly makes it any better.

However after having reviewed the SecureRandom() documentation, I think Google is technically in the right. The documentation is fuzzy, unclear and contains as only example a case where SecureRandom() is "self seeded". While it is mentioned that seeding needs to be done with unpredictable data, no statement is made that self-seeding must do this and furthermore, no help on how to correctly seed is provided. I think the people having written this piece of dangerous documentation-trash should be disallowed from ever writing anything technical again. This documentation is worse than no documentation, as it gives wrong impressions that compromise security.

Re:Amateurs. OpenSSL is _not_ the problem. (0)

Anonymous Coward | about a year ago | (#44576309)

Consider the possibility that it wasn't an accident.

Re:Amateurs. OpenSSL is _not_ the problem. (1)

gweihir (88907) | about a year ago | (#44576437)

No. Far, far too obvious.

Re:Amateurs. OpenSSL is _not_ the problem. (1)

fph il quozientatore (971015) | about a year ago | (#44576081)

From what you say, it looks a lot like OpenSSL's fault: why does the RNG work even without proper initialization, allowing users to do the wrong thing in the first place? It should return an error unless safe_init() is called before get_random_number().

Re:Amateurs. OpenSSL is _not_ the problem. (1)

gweihir (88907) | about a year ago | (#44576227)

No, it is not. A CPRNG cannot realistically evaluate the quality of the initialization data it is fed with. Sure, it could detect gross non-randomness, but that is it. (Example: Seed it with the time of day, encrypted with AES and key "123456789". That is a very bad seed, but basically impossible to detect without code analysis.)
  OpenSSL uses a small-state generator, which is extremely vulnerable to bad seeding. But that fact is not hidden in any way and well-known to experts.

But you are not so wrong. When looking at the documentation of Java SecureRandom(), it is not made very clear there that this thing needs to be seeded in a very careful and specific way to be secure. What is worse, is that if it is used without explicit seeding (and the only code example does exactly that!), it "self-seeds", but nothing requires that to be a good seeding in any way. Sure, if Google had been careful/competent, they would have made sure that SecureRandom() is always seeded securely, unless the programmer supplied bad initialization bytes (which can be useful for debugging and other uses). But the real blame in this case is on an atrociously bad API description in the Java API reference. One of many.

Re:Amateurs. OpenSSL is _not_ the problem. (1)

WaffleMonster (969671) | about a year ago | (#44576375)

This is not an OpenSSL-flaw. Proper initialization of a CPRNG is critical and the OpenSSL documentation states that. The choice of OpenSSL is however especially bad with a bad initialization, as the OpenSSL CPRNG does not continue to seed the generator with additional entropy during its operation, unlike /dev/random or /dev/urandom. Google messed up spectacularly in two regards:

According to FAQ if /dev/urandom is there openssl uses it.

http://www.openssl.org/support/faq.html#USER1 [openssl.org]

Re:Amateurs. OpenSSL is _not_ the problem. (1)

gweihir (88907) | about a year ago | (#44576473)

Yes, but does the self-seeding of Java SecureRandom() use it too? My guess is it does all OpenSSL seeding itself and does not fall back on the OpenSSL defaults. And the Java documentation for SecureRandom() makes absolutely no statement about the quality of self-seeding.

Intel RdRand would have solved this (1)

TechyImmigrant (175943) | about a year ago | (#44575847)

If the phones used an Intel SOC, with the RdRand instruction, this would not have happened, because the phone would have over 100MBytes/s of cryptographically secure random numbers from an on chip TRNG, available to software through a single instruction.

ARMs are limited in ways other than just being slow. When it comes to security, these things matter.

Only helps if your device... y'know... *updates*.. (1)

jemenake (595948) | about a year ago | (#44575881)

"The flaws are already, or in the process of being repaired..."

Oh, so those 2% of Android devices which are running the latest Droid OS can breathe easy now...

I know (0)

Anonymous Coward | about a year ago | (#44575933)

They were misusing the NSA hole in the Android crypto. Smells like inhouse job, maybe Snowden gave the heads up.

happy (0)

Anonymous Coward | about a year ago | (#44575951)

My last pay check was $8500 working 10 hours a week online. My younger brother friend has been averaging 12k for months now and he works about 22 hours a week. I can't believe how easy it was once I tried it out. This is what I do, RUN33.COM
Destiny is not a matter of chance; it is a matter of choice. It is not a thing to be waited for; it is a thing to be achieved.

Java has gotten to obscure (2, Interesting)

gweihir (88907) | about a year ago | (#44575973)

Or rather the Java libraries and their documentation. My guess is that nobody working on this application even noticed that they did seed SecureRandom wrongly. At the same time, making sure this class is always seeded securely (which the spec would allow and would cause negligible overhead) would have been the right thing to do. But after looking at the problem in more detail, I am not so sure anymore this mistake by Google is the root-cause. It is also quite possible that Java programmers in general have stopped caring how classes do things internally, as long as they seem to work. The documentation for the Java crypto API is certainly convoluted and uninformative enough to be rather painful to read and left me wondering what the different methods actually do.

Re:Java has gotten to obscure (0)

Anonymous Coward | about a year ago | (#44576135)

Yes, perhaps its not Google's fault because maybe the docs suck? Google wrote the code and docs in question didn't they? They are using their own implementation of the JVM even. I don't see how, even if caused by bad docs, this is not Google's fault. They even claim their own code was wrong in this case on their own blog!

The fact that the CPRNG is supposed to be initialized with enough entropy is part of the spec. The fact that some of their own code for HTTPS didn't rely on this and used setSeed indicates something is strange here. The http code should have also been vulnerable because it should not have been using setSeed, because thats not suppose to help at all and adds a potential place to mess up on all users of the API. They just got lucky in that case that the application level seed setting code is apparently ok, while the library it was overriding that they suggest you use is wrong.

Re:Java has gotten to obscure (2)

gweihir (88907) | about a year ago | (#44576423)

No. The Java documentation is by Oracle/Sun: http://docs.oracle.com/javase/6/docs/api/java/security/SecureRandom.html [oracle.com]

It would however have been a good idea to make sure self-seeding is secure, even if not required by the spec. (It says absolutely nothing about the quality of self-seeding.) That is the only possible fault with Google I can see: They did not protect the unwary and the incompetent. True, the traps set up by the atrociously bad Oracle API documentation are obvious enough to experts that any sane implementation should make sure just copying the example _is_ secure. So if you will, this mess was created by Oracle/Sun in collaboration with Google and people implementing crypto without understanding it and which parts need special attention.

Just wondering... (1)

lxs (131946) | about a year ago | (#44576017)

How long until Google lawyers will claim that Android users have no expectation of security [cnet.com] ?

This is not just a Bitcoin problem (2)

mathimus1863 (1120437) | about a year ago | (#44576075)

This certainly affects Bitcoin the most, but a random number generator that actually produces the same "random" numbers is hardly random at all, and could present a serious problem for all types of applications. In fact, that's a thoroughly-broken random number generator and all crypto-related operations could be hosed. I'm wondering how such an egregious PRNG/seeding-algo made it this long without someone noticing. Maybe it's because Bitcoin provides a financial incentive to find these flaws, and honestly it's pretty easy to spot it from a one-minute blockchain scan -- just look for two transactions with identical r-values, plug it into the stupid-simple equation, and then steal the money.

This has actually come up in the Bitcoin space before: people were rolling-their-own-ECDSA for constructing and signing transactions, and were not aware of the importance of using different random numbers for every signature. As such, about a year ago someone did an identical blockchain search and was able to steal coins the exact same way: but it was due to script-kiddie ignorance. It was assumed this problem would go away when you start using the system PRNG, and taught people a lesson about rolling-their-own-crypto. Even if it's a weak system PRNG, the ECDSA signatures are fairly strong as long as the numbers are different between signatures. Apparently this was more than just "weak" though...

For Android/mobile, the answer is to leverage the variety of sensors that are on-board. Using the low bits of accelerometer output should work great for seeding a PRNG if someone is actually holding the phone. If not, snap an image or take a quarter-second audio recording should suffice. There's enough noise on the camera and microphone that the hash of the output should be different even if it's sitting camera down in a quiet room. A lot of times you only 32-bytes of entropy, and a single image with 5 million pixels can give you an order of magnitude more than that just from the random variations in sensor output in a dark room.

Name one secure system (1)

WOOFYGOOFY (1334993) | about a year ago | (#44576107)

Just one.

OK then, what does that imply for you ? It's in the current nature of Bitcoin that all your Bitcoins ARE in one basket and you should disaster plan accordingly.

WTF (0)

Anonymous Coward | about a year ago | (#44576489)

Why are files from one app available to another?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?