M-F 8:00AM TO 5:30PM CST
Better coverage. Better price.
Don't Risk IT
Java Function Exposes All Android Users to Bitcoin Theft, Highlights Errors & Omissions Liability Issues

Java Function Exposes All Android Users to Bitcoin Theft, Highlights Errors & Omissions Liability Issues

A security flaw in Java exposes users to potential data theft -- what IT professionals can do to manage the associated Errors & Omissions risk.

Friday, January 10, 2014/Categories: cyber-risk

This summer, Bitcoins may have received more hype than Justin Bieber. But recently, the digital currency has been in the news due to a cyber security flaw, which sheds light on security and liability issues for all software and app developers.

According to Ars Technica, a Java vulnerability in android phones has exposed owners of the digital currency Bitcoin to theft. Basically, a problem in the Android Java SecureRandom class, which Bitcoin relies on for security, makes it so that in certain situations the random numbers it generates aren't entirely random. This can lead hackers to figure out the unique "Private keys" for a Bitcoin, which enables them to steal money from the currency's owner. Translation: Whoops.

Already, thousands of dollars have been stolen from Bitcoin owners, and makers of Bitcoin wallet apps (like BitcoinSpinner and Bitcoin Wallet) are scrambling to update their software. Why? Because the apps these developers built rely on SecureRandom to function. Because that program exposes its users to theft, app developers who incorporated it into their programs could be sued in an Errors & Omissions suit by app users whose money was stolen. And even if an E&O suit doesn't ultimately lead to a judgment, the cost of defending yourself against those charges can be significant.

The SecureRandom class is a fundamental part of digital cryptography, and software security company Symantec has come out to say that the flaw "may affect hundreds of thousands of apps."

Security Vulnerabilities Are Inherent E&O Risks for All Developers

What's interesting about this situation is that the security flaw isn't in the developers' software, but rather in the Android platform itself and specifically this particular Java component. But these kinds of security issues aren't new. In fact, this same problem was exploited by hackers three years ago in attacks on the Playstation 3 master key.

The situation with Bitcoin provides an important reminder: all software and app developers are at risk for security breaches, because the functions they use and the very platforms they use can have mistakes or improperly functioning components that expose their customers.

And when your customers' data is exposed, liability can run downstream to you. Depending on the circumstances of the case, data exposure could lead to Cyber Liability or E&O charges, both of which are costly to defend against.

How to Reduce Your Software and App Security Risk

What can your business do protect itself?

  • Stay abreast of security developments. IT businesses need to know about new security flaws as they happen and need to update their software accordingly. Reading cyber security blogs or following knowledgeable people on Twitter can help your business preemptively respond to cyber threats and avoid potential lawsuits.
  • Remind your clients to update their software. In addition to the obvious point that your clients need to run the most secure and up-to-date versions of your software, it's also important to remember that if your client is using an older version of an OS or smartphone platform, they may be susceptible to other security breaches. If feasible, remind your clients to download important updates when they come out. You may also think about including language in your Terms of Use to protect you from these and other liabilities.
  • Know your liabilities. Your business could be liable for security flaws like the Bitcoin one, where the vulnerability is not in your software, but in the function it uses. It can be nearly impossible to anticipate this kind of liability.

You may also be liable for not taking fast enough measures to correct a problem. A judge or jury may rule that you should have done more to protect your clients, inform them about the problem, or respond to a potential threat.

For information about how Errors & Omissions and Cyber Liability Insurance can protect your business against a cyber security lawsuit, check out this article. To receive a free quote on this insurance or any other, contact TechInsurance today.

The Small Business
Insurance Leader
800.688.1984 | 8 am - 5:30 pm CST | M-F
Customer Rating 4.9 out of 5
Read Customer Reviews


The Small Business Insurance Leader