Security researchers have discovered a crippling OpenSSL bug in Microsoft, Apple and Google devices, as well as many high profile websites, which could allow “man in the middle” attacks. These attacks can occur when Apple users are on public Wi-Fi networks, where they can be fooled into connecting to rogue servers claiming to belong to someone else.
The “FREAK” vulnerability (CVE-2015-0204), short for Factoring attack on RSA-EXPORT Keys, makes it possible for attackers to decrypt and monitor HTTPS-protected traffic.
A FREAK attack is possible when someone with a vulnerable device—Mac OS X computers, iOS and Android devices—connects to an HTTPS-protected website configured to use an easily breakable key once thought to be dead. It requires that the attacker be in a position where they can intercept packets between the endpoint device and the HTTPS-protected website.
How did we get here?
The flaw resulted from a former policy of the Clinton administration, which required weak 512-bit keys to be used in any software or hardware that was exported out of the United States. The U.S. government forbade the export of strong encryption in products shipped to customers in other countries.
These restrictions were lifted in the late 1990s, but somehow the weaker encryption have managed to remain in widely used software and hardware around the world, including the United States, and went unnoticed by the public until recently.
How to tell if your browser is vulnerable
Type this web address directly into your browser address bar:
On this page, you can see if your browser is vulnerable, and it has a list of every vulnerable website. At the time of writing this post, only Firefox is safe to use on Mac OS X (both Safari and Google Chrome are vulnerable).
Have hackers figured out how to exploit the FREAK flaw?
There is no published attack using this vulnerability, but that doesn’t mean it’s not happening. Given the age of this vulnerability, someone has probably figured out how to exploit it, at least by the NSA. However, successful exploitation is not exactly easy to accomplish without physical access to the hotspot hardware.
This means that attacks can be launched by anyone who has access to Internet traffic, which includes governments, Internet Service Providers (ISPs), coffee shops or airports, and any other locations offering Wi-Fi hotspots. A malicious hotspot owner could exploit the vulnerability, or someone spoofing the Starbucks hotspot from a nearby location. And a well-versed hacker could pull it off, but it’s really not that simple.
Dan Goodin at Ars Technica described what can happen, and said:
[A]ttackers on a coffee-shop hotspot or other unsecured network can masquerade as the official website, a coup that allows them to read or even modify data as it passes between the site and the end user.
How can the FREAK vulnerability be resolved?
Both Microsoft and Apple are working on a patch for the client side, and they no doubt will soon. Web server hosts can also patch this on the server side, which they no doubt are doing as well.
Intego is continuing to research this threat and will continue to provide updates as new information becomes available.