FREAK flaw leaves Apple, Google users at risk

"Zombie" flaw the result of US watering down encryption for export

A serious flaw in Android and iOS devices has left them at risk of hacking for more than ten years. 

The SSL vulnerability, called Factoring Attack on RSA-EXPORT Keys, or Freak, is the result of a US government rule that banned the export of strong encryption. That law was changed in the late 1990s, but weaker encryption continued to be used in software. 

That means hackers can downgrade the security of your TLS/SSL connections from "strong RSA" grade encryption to "export grade", making it easier to target, according to Matthew Green, a research professor at Johns Hopkins University, one of the researchers who helped uncover the flaw.

"The 512-bit export grade encryption was a compromise between dumb and dumber," he noted in a blog post. "In theory it was designed to ensure that the NSA would have the ability to 'access' communications, while allegedly providing crypto that was still 'good enough' for commercial use."

The US dropped those rules, but the backdoor remains. "Today they [export-level encryption suites] live on like zombies - just waiting to eat our flesh," he said. 

How bad is the vulnerability?

"If the encryption you are relying on for your HTTPS connections is flawed, malicious hackers or intelligence agencies could break it and intercept your communications," said security analyst Graham Cluley in a blog post. "They could launch attacks, and potentially sniff out your passwords and private messages."

Green told The Washington Post that downgraded encryption could be cracked with 75 computers working for seven hours - and such processing power is easily accessible via the cloud these days.

Freak may affect as many as a third of encrypted websites, with The Washington Post saying of the 14 million sites that use SSL, five million were still vulnerable as of yesterday. That's despite security firms and major websites knowing about the flaw for weeks, in order to give them time to fix the problem. 

It affects anyone using an iOS or Android device, or Mac OS X computer. Apple has said it will roll out a patch next week, while Cluley suggested using a browser other than the default Android one. 

Despite the wide reach and severity of the flaw, Check Point MD Keith Bird said that risk to consumers and businesses was minimal, "as it would take a great deal of targeted effort" to hack someone. 

"As the flaw affects the Safari browser on iPhones, iPads and Macs and Android's built-in browser, but not Google Chrome or the latest versions of Internet Explorer or Firefox, users can simply switch to a web browser that's not affected to mitigate any risk from this vulnerability," he added. 

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now

Recommended

Dual citizen sentenced to 11 years for role in North Korean crypto hacking scheme
hacking

Dual citizen sentenced to 11 years for role in North Korean crypto hacking scheme

10 Sep 2021
IoT devices are more vulnerable than ever
Internet of Things (IoT)

IoT devices are more vulnerable than ever

10 Sep 2021
DOJ extradites Ukrainian man who used a botnet to decrypt login credentials
botnets

DOJ extradites Ukrainian man who used a botnet to decrypt login credentials

9 Sep 2021
Hackers use open source tools to steal usernames and passwords
open source

Hackers use open source tools to steal usernames and passwords

8 Sep 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

17 Sep 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
The technology powering the future of shopping
Technology

The technology powering the future of shopping

16 Sep 2021