A team of security researchers unearthed a decade-old vulnerability called the FREAK (Factoring attack on RSA-EXPORT Keys) attack, which impacts Google and Apple device users who may have visited websites, including Whitehouse.gov and NSA.gov, according to a Washington Post report. One of the researchers who spotted the vulnerability told the Post that “Of the 14 million Web sites worldwide that offer encryption, more than 5 million remained vulnerable as of Tuesday morning.”
According to Matthew Green, a cryptographer and research professor at Johns Hopkins University who has been looking into the flaw, the security researchers found serious vulnerabilities in the security protocols used by the Safari browser and the browser found in Android devices. These protocols are used to encrypt data through secure network connections between websites and browsers.
Even though the Android browser in question uses the OpenSSL protocol and Safari uses the Apple TLS/SSL protocols, both protocols are similarly affected and a hacker taking advantage of the bug can “downgrade connections from ‘strong’ RSA to ‘export-grade’ RSA,” Green wrote. This basically means that a hacker can infiltrate the connection between the browsers and websites and weaken the encryption that occurs. When this happens, a hacker can supposedly decrypt the data and obtain the information that was supposed to be secure.
While the bug clearly affects a lot of users, Forbes is reporting that actually pulling off the hack requires a lot of work, and it’s more likely that hackers would attempt another kind of attack.
[blockquote person=”Forbes” attribution=”Forbes”]This all sounds scary, but in reality, there are easier attack methods for snoops or criminals to spy on your online lives. For starters, a FREAKy hacker will have to find a target using a vulnerable PC, phone or tablet, and hope they use the affected sites. They’ll also have to be on the same network, though the NSA, GCHQ and myriad other intelligence agencies have access to much of the world’s internet, so would easily be able to carry out such an attack, as long as the other criteria were met.[/blockquote]
What’s interesting is that the reason why there is weaker encryption in the first place has to do with U.S. government policy “that once forbid the export of strong encryption” and instead called for products shipped to other countries to come equipped with weak encryption, the Post reported. Although the policy is supposedly no longer in effect, the damage has been done and “weaker encryption got baked into widely used software that proliferated around the world and back into the United States.”
While Google’s Chrome browser is not affected by the vulnerability, the browser found in the majority of Android devices are, and an Apple spokeswoman told the Post that the company will be issuing a security patch that should fix both Apple computers and mobile devices.
Encryption has been a hot topic as of late as China just unveiled a new counterterrorism law that would require tech companies to hand over their encryption keys if the Chinese government calls for it. Both the U.S. and the U.K. have also let it be known that encryption hampers a government’s ability to perform investigations and if companies use the tech, they should be prepared to turn over the encryption keys.