Press Release

Expect more breaches like Bitcoin in the future

Applications using the random numbers for security could be compromised affecting millions of users.

Applications using the same function to generate random numbers for security could be compromised affecting millions of users British IT security firm MWR InfoSecurity has warned.

The comment was made after Android’s Bitcoin apps were targeted by a random number generation bug resulting in theft.

Ian Shaw, Managing Director of MWR InfoSecurity, said: “There appears to be a flaw in the SecureRandom function which is used to generate random numbers for security. There are more applications than just Bitcoin wallets that rely on this function for security so it is likely that we see more breaches like this in the future.”

“Normally, such issues appear due to mistakes in individual applications. This is a flaw found in an Android function, which is rarer and much more wide-reaching,” he warned.

Shaw added: “Because Bitcoin transactions are public and shared by design, it is a lot easier for an attacker to scan for those using a vulnerable client. They don’t need to attack the user directly as they have everything they need from the Blockchain, which is the database that holds information about all transactions.”

Shaw said that because these transactions were designed to be pseudo-anonymous and non-refundable, no support network, such as credit card Chargeback, had been put in place such to recover any losses.



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.