A newly discovered vulnerability believed to exist since the 90s has been discovered.
Dubbed as FREAK, (Factoring RSA Export Keys), the vulnerability forces a secure connection to use weaker encryption—making it easy for cybercriminals to decrypt sensitive information.
The flaw came about in the 1990s, where the US government mandated that software intended for export use “export cipher suites that involved encryption keys no longer than 512 bits.” According to researchers, that kind of encryption might have sufficed in the 90s but 512-bit RSA keys can now be decrypted in about 7 hours and for only US$100 with so much computing power readily available from the cloud. While this restriction was lifted in the late 90s, some implementations of TLS and SSL protocols still support these export–grade encryption modes.
FREAK was discovered by Karthikeyan Bhargavan at INRIA in Paris and the mitLS team. They found that OpenSSL (versions prior to 1.0.1k) and Apple TLS/SSL clients are vulnerable to man-in-the-middle (MITM) attacks. Once attackers are able to intercept the HTTPS communication between vulnerable clients and servers, they force the connection to use the old export-grade encryption.
Attackers who “listen” in on the communication will then be able to decrypt the information with relative ease.
Apple’s SecureTransport is used by applications running on iOS and OS X. These include Safari for iPhones, iPads, and Macs. Meanwhile, OpenSSL is used by Android browsers and other application packages. From Trend Micro’s understanding, the attack is possible only if the OpenSSL version is vulnerable to CVE-2015-0204.
According to reports, 37% of browser-trusted sites are affected by this flaw. Affected sites include Bloomberg, Business Insider, ZDNet, HypeBeast, Nielsen, and the FBI. It bears stressing that there are country-specific sites that were also affected.
Addressing the FREAK Flaw
OpenSSL has provided a patch for CVE-2015-0204 in January. Apple is reportedly deploying a patch for both mobile devices and computers.
Trend Micro advises Android users to refrain from using the default Android browser in their devices. They can instead use the Google Chrome app as it is not affected by the bug. Furthermore, connections to the Google search site are not affected.
Trend Micro is also currently evaluating its exact impact and attack mechanism on servers. For the time being, they advise businesses running websites and other server applications using export grade ciphers to upgrade their systems as well as upgrading to the latest OpenSSL. Administrators can also check if their site is vulnerable by using the SSL Labs’ SSL Server Test.
More information on the malware can be found on Trend Micro’s blog.
For the LATEST tech updates,
FOLLOW us on our Twitter
LIKE us on our FaceBook
SUBSCRIBE to us on our YouTube Channel!
