Crypto flaws in Blockchain Android app sent bitcoins to the wrong address

comedy of programming errors could prove catastrophic for affected users.

Blockchain, one of the Internet's most widely used Bitcoin wallets, has rushed out an update for its Android app after discovering critical cryptographic and programming flaws that can cause users to send digital coins to the wrong people with no warning.

The vulnerabilities affect a subset of people who run Blockchain for Android on versions 4.1 or older of the mobile OS, according to an advisory published Thursday. The most serious of the flaws is the use of the unencrypted HTTP connections when the app's cryptographic engine contacts random.org to obtain random numbers used to generate private keys for Bitcoin addresses. Since January, random.org has required the use of the more secure HTTPS protocol and has returned a 301 Moved Permanently response when accessed through HTTP. As a result, vulnerable installations of Blockchain for Android generated the private key corresponding to the address 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F, regardless of the address specified by the user.

"To our knowledge, this bug resulted in one specific address being generated multiple times, leading to a loss of funds for a handful of users," Thursday's advisory stated.

According to this entry in the Bitcoin ledger, the owner of the lucky 1Bn9ReEocMG1WEW1qYjuDrdFzEFFDCq43F address appears to have received almost 34 bitcoins since the January, when the address became active (hat tip to Ars reader Bob Loblaw). Nicholas Weaver, a security researcher at the International Computer Science Institute in Berkeley, California, said it's possible multiple people may have been able to benefit from the error through the use of "tumbler" services designed to obfuscate how bitcoins are spent and received. Still, the at today's rate, the 34 bitcoins are worth about $8,100.

Additionally, in certain cases, the pseudorandom number generator in Blockchain for Android failed to access random data that was supposed to be mixed into the random bits downloaded from random.org. Instead of returning an error, the app simply used the 256-bit number provided by random.org as the sole input for generating private keys. That meant the random.org website was the sole supplier of entropy used in the generation process.

It's not entirely clear what causes some users on Android 4.1 and earlier to be vulnerable while others are not affected. Some people have speculated that the vulnerability is present on devices that can't access random values that are supposed to be available in the /dev/urandom file.

The horror

Cryptography and security experts were aghast at the scale of the error. Beyond no one using HTTPS by default to access random.org—and the months-long failure to catch the 301 response—there's a more fundamental error of judgement. Random numbers are one of the most important components in secure cryptographic functions. Critics said it was a mistake of epic proportion for Blockchain to be so casual about how it went about obtaining the raw material for such key ingredients.

"WTF? The blockchain.info Android app was just getting 'random' numbers from the Internet?" Weaver wrote on Twitter. "I think I need to write a followon rant: how to make money in Bitcoin with sabotaged pRNGs. Reduce entropy pool to 30 bits with 'improvements'," he added.

The vulnerabilities involved the use of the LinuxSecureRandom programming interface to generate pseudo random numbers instead of SecureRandom, which is the more standard interface for Android developers. The idea behind the customization in Blockchain seemed to be the ability to pull in random values from two sources—random.org
and a resource residing in the OS itself. In retrospect, the lack of HTTPS protections, the failure to detect a 301 response, and the inability of some devices to pull random bits from the OS itself underscore how easy it is to make mistakes when developing home-grown cryptographic solutions.