Key Repetition Makes FREAK Attacks Easier

Researchers at Royal Holloway, University of London, have discovered more bad news around the FREAK encryption flaw disclosed earlier this month.

Not only are 10 percent of the devices that support the vulnerable protocol still vulnerable, many of these are also affected by another flaw that makes the problem easier to exploit.

FREAK, or Factoring attack on RSA-EXPORT Keys, is a technique that forces systems to use the weaker 512-bit or “export-grade” encryption keys, which are still found in many systems due to US export restrictions that were lifted in 1999. The technique was at first only believed to work against Mac OS X, iOS and Android systems, but Microsoft later confirmed that all versions of Windows are also vulnerable. Microsoft and Apple have released patches addressing the issue.

One week after the technique was disclosed, Royal Holloway’s researchers carried out a scan of the IPv4 address space using open source scanning tool ZMap, and within the nearly 23 million hosts that use the affected SSL/TLS (Secure Sockets Layer/Transport Security Layer) protocol, found 9.7 percent, or around 2.2 million, that were still vulnerable to FREAK.

While the number is high, it is markedly less than that discovered by the FREAK researchers, possibly due to administrators quickly taking action to remove export-grade keys, wrote Martin Albrecht, Davide Papini, Kenneth Paterson and Ricardo Villanueva-Polanco of the Information Security Group at Royal Holloway, University of London.

However, they also discovered that many of these hosts – which could include servers or other devices – share the same 512-bit public key, something that could make carrying out exploits in the real world easier.

In the most extreme example, 28,394 routers running a SSL VPN module all use the same 512-bit public key, the researchers said, concluding that a manufacturer had probably generated one key and then installed it on many devices.

Low cost

One of the limiting factors of FREAK is the relative difficulty of carrying out an attack, which depends on breaking, or factoring, the 512-bit key involved – while possible using cloud computng resources, this entails a significant cost per attack. With the repetition of public keys, an attacker could factor a single key and then use the result to potentially carry out many attacks, reducing that cost, according to the researchers.

“These repeated moduli would be attractive targets for direct factoring,” the researchers wrote. “For example, spending $100 (£68) on factoring the most repeated modulus would enable a per-host breaking cost of only 0.3 cents for all the hosts using this modulus.”

The researchers found that 664,336 hosts used duplicate keys, and they were even able to successfully factor 90 of the keys, affecting 294 devices, in only about three minutes using a fairly average system running eight 3.3Ghz Xeon cores and less than 2GB of RAM.

“The computation took less than three minutes on an eight-core system, saving the $9,000 that a cloud computation would have cost if each modulus had been attacked directly,” the researchers wrote. “We consider this to be a good return on investment for a Friday afternoon’s work.”

Are you a security pro? Try our quiz!