NANO Issues Alert on Android App Vulnerability, Urges Users to Move Funds
NANO, which recently rebranded from RaiBlocks in January 2018, has issued a statement alerting users about a vulnerability in their android wallet, urging them to move their funds to a new wallet.
This applies to anyone who generated a wallet seed using the NANO android wallet, which was released just a few hours ago.
The issue stems from the usage of the Random.java class which is used to generate a stream of cryptographically secure pseudorandom numbers. The dev team seems to have overlooked this, and it is important to note that this issue wasn’t previously discovered.
According to a reddit post by Nanex’s CEO the random method uses a combination of the current time and the device memory address of the ‘java.util.Random’ class.
public Random() { internalSetSeed( System.currentTimeMillis() + System.identityHashCode(this)); }
The code generates 64 random integers, converts them to a hex format and then uses the first 64 characters off the result. A possible fix would be using the SecureRandom method, which is much more secure and recommended as per the official java docs.
The java docs explicitly mention the following:
“Instances of
java.util.Random
are not cryptographically secure. Consider instead usingSecureRandom
to get a cryptographically secure pseudo-random number generator for use by security-sensitive applications.”
Effectively, you would need a malicious process running on your android phone that had access to the memory address space, which is the memory in a device an app/process has access to. This would result in your NANO wallet seed being compromised.
However, the user goes on to point out that unless this attack vector was actually used, the likelihood of your seed getting compromised is minimal.
It is however, a safe practice and highly recommended to move out your NANO funds into a different wallet with a new seed, just so users are on the safe side. The NANO team is currently patching the wallet to make it cryptographically secure, and the warning was issued immediately after they found it.
Nano has had a bad year so far, with the high profile BitGrail hack that resulted in 17 million coins being stolen, followed by both BitGrail and the NANO team maintaining their stance they weren’t at fault. There have been several series of twists and turns, including BitGrail cofounder Francesco Firano asking the NANO team to fork the NANO blockchain, effectively restoring stolen funds.
BitGrail, which has long maintained a low profile in the exchange niche, has caused a lot of pain for retail traders, including one such user who held $1.4 million in NANO on the exchange which he lost. In a reddit post, the user went on to explain that the 10 bitcoin/day withdrawal limit severely affected him, and it didn’t help at all when it was reduced to 1 bitcoin/day, along with unresponsive support.