FREAK: Android And iOS SSL Security Is Still Vulnerable To Snoop Attacks – Blame America For Poor Encryption

Security researchers have unearthed a vulnerability in the implementation of data security that is reminiscent from the time the United States government was quite uneasy and many-a-times downright clueless about encryption technology.

Despite the best efforts to keep snoopers out of your Android as well as iOS devices, inherent vulnerabilities within the encryption protocols still ensure they continue to remain vulnerable. The flaw lies in the very security standard meant to protect devices from snooping attacks.

A critical flaw in OpenSSL and Apple’s SecureTransport, can still potentially allow a persistent attacker to decrypt your login cookies, and other sensitive information, from your internet connections if you use a vulnerable browsers such as Safari. Shockingly, despite ensuring you surf only secured websites (those which use HTTPS at the beginning of the URL), you continue to remain exposed, warn researchers.

Apple’s SecureTransport is a library used by applications on iOS and OS X, including Safari for iPhones, iPads, and Macs. OpenSSL is open source, and used by Android browsers, and many other things. Both these standards are the bare essential sentries that protect your connections to online banking, webmail, and other HTTPS websites, and so much else on the internet, to thwart eavesdroppers.

As it turns out, the encryption used by OpenSSL and SecureTransport can be crippled by an attacker on your network. Attackers can trick your apps into using weak encryption keys, allowing determined hackers to sniff out login cookies and other sensitive information out of your SSL-protected traffic.

This latest flaw, highlighted today and dubbed ‘FREAK’ (Factoring RSA Export Keys), is exploited during the moments when a secure connection is established but the encryption has not initialized, explained the researchers.

“Vulnerable clients include many Google and Apple devices (which use unpatched OpenSSL), a large number of embedded systems, and many other software products that use TLS behind the scenes without disabling the vulnerable cryptographic suites.”

Interestingly, you can blame Uncle Sam for ensuring your devices remain vulnerable. Back in the early 1990s, the U.S. government banned Americans from selling software overseas unless the code used so-called “export cipher suites” that involved encryption keys no longer than 512 bits. At the time, this was supposed to ensure that America exported relatively weak encryption to the rest of the world, and kept the stronger stuff for itself.

Unfortunately, though the restrictions on crypto-exports were lifted, some implementations of the TLS and SSL protocols still support these 1990s export-strength tech, which can be easily fooled or crippled.

Just how damaging is the vulnerability? An estimated 36 percent of 14 million browser-trusted websites scanned by researchers will drop down to 512-bit keys or below, as will 26.3 percent of the probed IPv4 space. About 12 percent of the Alexa top one million most popular websites will do so, too.

While the devices that receive regular updates will have already been fortified against the weak encryption vulnerability, those who are stuck on older versions of Android, or with embedded stuff in their home, office and factories that cannot be updated, still remain vulnerable.

[Image Credit | Threat Post]