NANO, formerly RaiBlocks, has alerted users on a vulnerability in their android wallet, urging them to move their funds to a new wallet.
NANO, which recently rebranded from RaiBlocks in January 2018, has issued a statement alerting users about a vulnerability in their android wallet, urging them to move their funds to a new wallet.
This applies to anyone who generated a wallet seed using the NANO android wallet, which was released just a few hours ago.
The issue stems from the usage of the Random.java class which is used to generate a stream of cryptographically secure pseudorandom numbers. The dev team seems to have overlooked this, and it is important to note that this issue wasn’t previously discovered.
According to a reddit post by Nanex’s CEO the random method uses a combination of the current time and the device memory address of the ‘java.util.Random’ class.
public Random() { internalSetSeed( System.currentTimeMillis() + System.identityHashCode(this)); }
The code generates 64 random integers, converts them to a hex format and then uses the first 64 characters off the result. A possible fix would be using the SecureRandom method, which is much more secure and recommended as per the official java docs.
The java docs explicitly mention the following:
“Instances of
java.util.Randomare not cryptographically secure. Consider instead usingSecureRandomto get a cryptographically secure pseudo-random number generator for use by security-sensitive applications.”
Effectively, you would need a malicious process running on your android phone that had access to the memory address space, which is the memory in a device an app/process has access to. This would result in your NANO wallet seed being compromised.
However, the user goes on to point out that unless this attack vector was actually used, the likelihood of your seed getting compromised is minimal.
It is however, a safe practice and highly recommended to move out your NANO funds into a different wallet with a new seed, just so users are on the safe side. The NANO team is currently patching the wallet to make it cryptographically secure, and the warning was issued immediately after they found it.
Source/More: NANO Alerts on Android App Vulnerability, Urges Users to Move Funds
