Friday, August 16, 2013

Critical Android cryptographic flaw seen in the wild, used in Bitcoin theft

Shortly after security firm Symantec detailed what it called a critical Android cryptographic issue that could affect hundreds of thousands of apps," Google on Wednesday confirmed the flaw in its mobile platform. The company's blog post also acknowledged that the vulnerability was the root cause of a Bitcoin transaction that ended up pinching a large sum of bitcoins (worth around $6,200 at market price on Thursday) out of a digital wallet last week.

Google said that contrary to earlier reports -- and the word "may" used in the Symantec blog post, the flaw affects all versions of Android, not just Android 4.2 and earlier.

Google said:
We have now determined that applications which use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices due to improper initialization of the underlying PRNG (pseudo-random number generator).

Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android are also affected.
Google acted quickly to patch the hole. It is already distributing patches for the flaw to device manufacturers.

However, due to the well-criticized Android fragmentation, it could take a considerable amount of time for those patches to make their way into OEM ROM builds, and then pass inspection by various carriers.

An earlier vulnerability that exploited Android's so-called "master key" has also been patched by Google, but considering the lack of ROM updates that have arrived on various handsets we have access to, that fix hasn't arrived yet, either, at least not to all handsets on all carriers.

No comments: