A recently discovered security flaw has left Apple, Android, and Blackberry users vulnerable to hackers for more than a decade. Nicknamed FREAK Attack, the vulnerability allows hackers to steal passwords and personal data by manipulating existing security protocols and deploying a Man in the Middle hacking attack into mobile and internet connections. Researchers announced their discovery at the beginning of March, and claim the vulnerability is the result of a U.S. Policy that forbids the export of internet capable devices with “strong” encryption features. That policy affects devices made within the United States, as well as those manufactured by American companies in foreign territories.
The FREAK Flaw
The so called “FREAK” flaw was discovered earlier this year when researchers were looking for potential security vulnerabilities in Open SSL and TLS/SSL clients. The team, consisting of cryptographers from INRIA, IMDEA, and Microsoft, found an exploitable flaw that would allow hackers to downgrade a user’s browser connection from ‘strong’ RSA to ‘export grade’ RSA. In effect, the flaw allows hackers to downgrade a browser’s security protocols, making it possible to insert a Man in the Middle attacker that can siphon off the user’s personal data and lay the groundwork for further attacks. The FREAK security flaw affects Apple’s Safari web browser, as well as Google’s stock browser for Android compatible devices. The research team has stated that the Freak flaw does not affect Chrome or Internet Explorer.
A Decade of Insecurity
The FREAK flaw has been blamed on a U.S. Policy that banned the sale and export of devices with advanced encryption standards. That policy was revoked in the late 1990’s, but the damage had already been done. By the time the restrictions were lifted, the softened security standards had been built into much of the software, servers, and web browsing applications used around the world. That leaves millions of people at risk for data theft. Software developers and security experts have been quick to address the issue, but it may be some time before the vulnerability is totally eliminated. Researchers at the University of Michigan in the United States are currently tracking the FREAK attack, and anyone worried about their online security can use their online tool to check if their browser is secure. Meanwhile, Google and Apple have been quick off the mark to develop software patches to address the FREAK attack vulnerability.
Patches for the FREAK Flaw
Within a week of the research team’s announcement, Apple and Google set to work developing the necessary software patches to fix the FREAK attack flaw. Those patches have now been deployed, and are available to anyone using the Apple iOS, as well as most Android devices. BlackBerry is still working on a suitable patch, which will be released soon. Security experts have praised the quick response, but warn that it is not an end to the problem. Rik Ferguson, director of research at Trend Micro, points out that “there is a big difference between the date when a patch is released and when it is implemented.” It will take some time for everyone to download and install the FREAK patch, and Android users in particular will have to wait until their carriers make the patch available.
The FREAK flaw highlights the dangers of government mandated security protocols, and brings to mind recently proposed legislation that would ban certain encrypted messaging apps. These policies are put forward as national security issues, but they can have unintended, and long lasting, repercussions. The FREAK attack flaw has left millions of people around the world vulnerable to cyber-attacks for more than a decade, and only now is that risk coming into focus. The FREAK flaw is a timely reminder that mobile communications and the Internet may not be as secure as we believe.