Apple Promises Fix For FREAK Encryption Flaw

A potentially nasty security vulnerability has been discovered that has been hanging around since the 1990s.

The bug has been dubbed “FREAK” by security researchers, and apparently affects Apple Mac computers and Android mobile devices.

Freaky Flaw

According to the researchers, the vulnerability concerns the web encryption technology and could allow hackers to spy on the communications of Apple’s Safari browser and Google’s Android browser. It does not affect Google’s Chrome browser.

“The vulnerability allows attackers to intercept HTTPS connections between vulnerable clients and servers and force them to use ‘export-grade’ cryptography, which can then be decrypted or altered,” said the researchers.

The FREAK attack was originally discovered by Karthikeyan Bhargavan at the French computer science lab INRIA in Paris and the mitLS team.

The US had up until 1999, banned companies from shipping any products overseas that contained strong encryption, as it deemed encryption to be a munition. But it had allowed the exportation of weaker and more breakable “export-grade encryption”.

Unfortunately, after those restrictions were lifted by Bill Clinton in 1999, it seems that the weaker “export-grade” encryption modes was inadvertently left in “many Google and Apple” devices (and other devices that use unpatched OpenSSL).

The researchers used a man-in-the-middle attack to force a victim’s browser to use this now crackable encryption cipher. Once the browser used the weaker cipher, any encrypted communication could be decrypted in a matter of hours, potentially allowing hackers to steal passwords and other personal information.

Websites that support RSA export cipher suites (e.g. TLS_RSA_EXPORT_WITH_DES40_CBC_ SHA) are at risk to having HTTPS connections intercepted,” warned the researchers.

And worryingly, users of Apple and Google devices are vulnerable to hacking when they visit supposedly secure Websites such as Whitehouse.gov, NSA.gov and FBI.gov.

Other vulnerable websites include americanexpress.com, bloomberg.com, and senate.gov.

Fix Promised

Both Apple and Google have promised fixes for the flaw.

Apple spokesman Ryan James was quoted by Reuters as saying that it had developed a software update to fix the vulnerability, which would be pushed out next week.

Google spokeswoman Liz Markman meanwhile reportedly said it had also developed a patch, which it has provided to partners.

What do you know about Internet security? Find out with our quiz!