What is Freak? Security bug affects hundreds of millions of iPhone, iPad and Android users
Researchers have uncovered the latest vulnerability in the way our data is protected online, with the Freak bug potentially putting hundreds of millions of smartphone and tablet users at risk.
The bug, which affects HTTPS encrypted communication online, has been around for decades, but was only uncovered on 3 March, 2015. If exploited the bug could give hackers access to your personal data including login details and evening banking information.
Here, we break down just what Freak is, how it works, and who is vulnerable:
What is Freak?
Freak is the latest security flaw to be discovered in the cryptographic protocols which are used to encrypt your online communications - known as SSL and TLS.
The vulnerability is in particular found in OpenSSL, the same protocol which was at the centre of the Heartbleed controversy last year.
Who discovered it?
The vulnerability, which has been around since the 1990s, was only discovered on Tuesday, 3 March by researchers at the French Institute for Research in Computer Science and Automation, Microsoft Research and IMDEA.
Why has Freak been around for so long?
The problem dates back to the early 1990s when the US government decided that it wanted to weaken the encryption standards on products being shipped overseas by US companies.
It required the companies to downgrade the encryption being used from strong RSA grade encryption to "export-grade" encryption. At the time this "export-grade" encryption was still relatively strong, requiring a supercomputer to be able to crack the 512-bit encryption key, meaning only the US government were likely to be able to exploit the vulnerability.
However with the rapid advance in computing, this is no longer the case, and with access to huge computing power through the likes of Amazon's cloud computing service AWS, anyone could potentially exploit the Freak bug.
As renowned cryptographer Matthew Green says:
The export-grade RSA ciphers are the remains of a 1980s-vintage effort to weaken cryptography so that intelligence agencies would be able to monitor. This was done badly. So badly, that while the policies were ultimately scrapped, they're still hurting us today. Encryption backdoors will always turn around and bite you in the ass. They are never worth it.
Who is vulnerable to a Freak attack?
According to the researchers on the user side, Apple's Safari web browser on its iPhone, iPad and Mac devices is vulnerable as well as almost all versions of Android as Google uses the OpenSSL protocol in its mobile operating system. That means that potentially hundreds of millions of people are at risk.
The Chrome desktop browser, Microsoft's Internet Explorer or Mozilla's Firefox are not vulnerable.
On the server side, according to researchers, just shy of 10% of the internet's top million websites are vulnerable. This is down from 12.2% on Tuesday, meaning that website administrators seem to be fixing the problem.
There are however still many major websites including banking, media and government sites which are affected. These include the websites of American Express, Business Insider, Bloomberg, the Marriot hotel group and indeed IBTimes UK.
The list previously included the FBI's website for anonymous informants, but this is no longer vulnerable it would seem. However the whitehouse.gov website remains vulnerable.
The full list can be found here.
How can hackers exploit Freak?
The vulnerability allows for what is known as a man-in-the-middle attack. It would allow a hacker who is sitting on the same network as the target to intercept encrypted communication between a vulnerable device and a vulnerable website and see that content in plain text.
It would require the target to visit one of the websites listed above using one of the web browsers which is vulnerable to a Freak attack. The hacker could then force the website to use the old "export grade" encryption ciphers which are no longer only crackable by supercomputers.
Forbes reports that researcher Nadia Heninger, from the University of Pennsylvania, was able to create a 512-bit key in around 7.5 hours for $104 using Amazon Web Services machines.
How do I know if a website is vulnerable?
Just visit the SSL Labs' SSL Server Test to check whether the site you want to visit is vulnerable.
What has Apple and Google said about Freak?
Apple was quick to respond to the researchers discovery, saying it was aware of the problem and working on a fix:
"We have a fix in iOS and OS X that will be available in software updates next week."
Google has told AP that it was issued a fix and sent the update to device makers and wireless carriers.
The problem it faces is that despite OpenSSL issuing a fix for this vulnerability in January, the huge fragmentation of the Android platform means it could take a long time for the majority of users to get the updates need to protect them.
How can this be fixed?
The advice from the researchers who uncovered Freak is aimed at website administrators and is pretty straightforward:
"If you run a web server, you should disable support for any export suites. However, instead of simply excluding RSA export cipher suites, we encourage administrators to disable support for all known insecure ciphers."
Mozilla has published a guide and SSL Configuration Generator, which will generate known good configurations for common servers.
Should I stop using my iPhone, iPad or Android device?
Probably not. While this attack is possible, it would still require a significant amount of effort on the part of a hacker. There are many others, much simpler ways they could try and steal your sensitive data.
Simple steps you can take to protect yourself include not logging onto public Wi-Fi networks and updating your browser when Apple and Google issue fixes.
© Copyright IBTimes 2024. All rights reserved.