'Freak' security flaw leaves millions of Google and Apple devices vulnerable

The decade old security flaw based on an old US encryption policy leaves millions of devices vulnerable to hackers.

Published Date
04 - Mar - 2015
| Last Updated
04 - Mar - 2015
'Freak' security flaw leaves millions of Google and Apple devices...

Researchers have discovered a decade old security flaw called 'Freak' that affects Android and iOS devices. According to reports Google and Apple have been developing fixes for the security threat which rotationally leaves millions of devices vulnerable to hackers. Apple has confirmed that it will be releasing the fix next week, but Google has not given a release timeframe.

Researchers stated that the encryption flaw left users of Apple's Safari and Google's Android browsers vulnerable to hackers for more than a decade. The security flaw was blamed on a former US policy that banned US companies from exporting the strongest encryption standards available. The policies were abandoned in the late 1990s, but it was already a part of software used widely around the world.

The flaw could allow cyber criminals to sneak on communications of users accessing Apple's Safari browser or Google's Android browser. Users of the browsers were vulnerable to having their electronic communications intercepted when visiting any of hundreds of thousands of websites, including NSA.gov, Whitehouse.gov and FBI.gov.

“The vulnerability allows attackers to intercept HTTPS connections between vulnerable clients and servers and force them to use ‘export-grade’ cryptography, which can then be decrypted or altered. There are several posts that discuss the attack in detail: Matt Green, The Washington Post, and Ed Felten,” explain researchers.

“A connection is vulnerable if the server accepts RSA_EXPORT cipher suites and the client either offers an RSA_EXPORT suite or is using a version of OpenSSL that is vulnerable to CVE-2015-0204. Vulnerable clients include many Google and Apple devices (which use unpatched OpenSSL), a large number of embedded systems, and many other software products that use TLS behind the scenes without disabling the vulnerable cryptographic suites.”

According to the researchers there has been no evidence that hackers had exploited the vulnerability. Researchers have alerted affected government and commercial websites so that they could take corrective measures before the vulnerability was publicized. According to reports FBI.gov and Whitehouse.gov have been repaired, but NSA.gov still remains vulnerable.

Source: CNET, WSJ