FREAK flaw leaves Apple, Google users at risk

"Zombie" flaw the result of US watering down encryption for export

A serious flaw in Android and iOS devices has left them at risk of hacking for more than ten years. 

The SSL vulnerability, called Factoring Attack on RSA-EXPORT Keys, or Freak, is the result of a US government rule that banned the export of strong encryption. That law was changed in the late 1990s, but weaker encryption continued to be used in software. 

That means hackers can downgrade the security of your TLS/SSL connections from "strong RSA" grade encryption to "export grade", making it easier to target, according to Matthew Green, a research professor at Johns Hopkins University, one of the researchers who helped uncover the flaw.

"The 512-bit export grade encryption was a compromise between dumb and dumber," he noted in a blog post. "In theory it was designed to ensure that the NSA would have the ability to 'access' communications, while allegedly providing crypto that was still 'good enough' for commercial use."

The US dropped those rules, but the backdoor remains. "Today they [export-level encryption suites] live on like zombies - just waiting to eat our flesh," he said. 

How bad is the vulnerability?

"If the encryption you are relying on for your HTTPS connections is flawed, malicious hackers or intelligence agencies could break it and intercept your communications," said security analyst Graham Cluley in a blog post. "They could launch attacks, and potentially sniff out your passwords and private messages."

Green told The Washington Post that downgraded encryption could be cracked with 75 computers working for seven hours - and such processing power is easily accessible via the cloud these days.

Freak may affect as many as a third of encrypted websites, with The Washington Post saying of the 14 million sites that use SSL, five million were still vulnerable as of yesterday. That's despite security firms and major websites knowing about the flaw for weeks, in order to give them time to fix the problem. 

It affects anyone using an iOS or Android device, or Mac OS X computer. Apple has said it will roll out a patch next week, while Cluley suggested using a browser other than the default Android one. 

Despite the wide reach and severity of the flaw, Check Point MD Keith Bird said that risk to consumers and businesses was minimal, "as it would take a great deal of targeted effort" to hack someone. 

"As the flaw affects the Safari browser on iPhones, iPads and Macs and Android's built-in browser, but not Google Chrome or the latest versions of Internet Explorer or Firefox, users can simply switch to a web browser that's not affected to mitigate any risk from this vulnerability," he added. 

Featured Resources

Become a digital service provider

How to transform your business from network core to edge

Download now

Optimal business results with the cloud

Evaluating the best approaches to hybrid cloud adoption

Download now

Virtualisation that enables choices, not compromises

Harness the virtualisation technology that's right for your hybrid infrastructure

Download now

Email security threat report 2020

Four key trends from spear fishing to credentials theft

Download now

Recommended

How LogPoint uses MITRE ATT&CK
Whitepaper

How LogPoint uses MITRE ATT&CK

15 Jan 2021
Hackers using COVID vaccine as a lure to spread malware
hacking

Hackers using COVID vaccine as a lure to spread malware

15 Jan 2021
Cyber criminals bypassing MFA to access cloud service accounts
two-factor authentication (2FA)

Cyber criminals bypassing MFA to access cloud service accounts

14 Jan 2021
Weekly threat roundup: Microsoft Defender, Adobe, Mimecast
vulnerability

Weekly threat roundup: Microsoft Defender, Adobe, Mimecast

14 Jan 2021

Most Popular

How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021
The fate of Parler exposes the reality of deregulated social media
Policy & legislation

The fate of Parler exposes the reality of deregulated social media

14 Jan 2021
Should IT departments to call time on WhatsApp?
communications

Should IT departments to call time on WhatsApp?

15 Jan 2021