Press Release

Expect more breaches like Bitcoin in the future

News

Applications using the random numbers for security could be compromised affecting millions of users.

Applications using the same function to generate random numbers for security could be compromised affecting millions of users British IT security firm MWR InfoSecurity has warned.

The comment was made after Android’s Bitcoin apps were targeted by a random number generation bug resulting in theft.

Ian Shaw, Managing Director of MWR InfoSecurity, said: “There appears to be a flaw in the SecureRandom function which is used to generate random numbers for security. There are more applications than just Bitcoin wallets that rely on this function for security so it is likely that we see more breaches like this in the future.”

“Normally, such issues appear due to mistakes in individual applications. This is a flaw found in an Android function, which is rarer and much more wide-reaching,” he warned.

Shaw added: “Because Bitcoin transactions are public and shared by design, it is a lot easier for an attacker to scan for those using a vulnerable client. They don’t need to attack the user directly as they have everything they need from the Blockchain, which is the database that holds information about all transactions.”

Shaw said that because these transactions were designed to be pseudo-anonymous and non-refundable, no support network, such as credit card Chargeback, had been put in place such to recover any losses.

 

 

Accreditations

As members of CHECK we are measured against high standards set by CESG for the services we provide to Her Majesty's Government.
We are certified in the ISO 9001 quality management system (QMS) in the UK, ensuring reliable delivery of our products and services.
We are certified to comply with ISO 14001 in the UK, an internationally accepted standard that outlines how to put an effective environmental management system in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR are approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.