A new Internet vulnerability is affecting popular SSL clients across the web. Eerily named FREAK, this flaw allows malicious parties and attackers to force servers to automatically downgrade to weakened ciphers. Once this is done, the attackers can easily crack all encrypted communications of these weakened servers through advanced Man-In-The-Middle (MITM) attacks. If all that sounds a bit complicated, this blog post aims to simplify it for you and give you the lowdown on how the FREAK attack affects you.
How did this attack originate?
The origins of this attack lie in the complex and murky world of United States diplomacy and international relations in the 1980’s. A Federal policy at that time forbade the export of software products with strong encryption. As a result, weaker export-grade products were then shipped to other countries. While this policy was lifted in the 1990’s, this ‘weaker encryption’ somehow became embedded in various software applications of the time and was never actively rectified until many years later.
While some developers eventually shifted to stronger encryption over time, this flaw remained inherent in many applications. Attackers gradually discovered ways to force servers to switch to this weaker encryption so that they could successfully intercept their data with MITM attacks.
Why this attack is called ‘FREAK’?
The terminology of FREAK has been coined to represent “Factoring Attack on RSA-EXPORT Keys”.
What can attackers really do via FREAK?
This attack enables malicious parties to intercept web browsers and crack them over a few hours. This would enable the attackers to steal confidential passwords and other sensitive data. This could lead to several other privacy and security issues in turn. It can also enable attackers to take control over specific elements on webpages.
Right now the FREAK vulnerability primarily affects Android and Apple Safari web browsers. The Google Chrome browser installed on Android phones is not vulnerable. However, the in-built web browser is vulnerable to this attack. Searches carried out on the in-built Google search engine site are also not vulnerable.
Google has reported that it has extended solutions to its partners i.e. the manufacturers of Android devices. But it ultimately lies in the hands of these OEMs to implement the solution in order to protect their users. Apple is in the process of finding and implementing a solution for this purpose and intends to release the fix within a week.
How can I learn more about FREAK?
A good source for finding out which sites are affected and for further reading on the topic can be found on freakattack.com. Some popular sites that are affected by this vulnerability are as follows:
- Business Insider
- American Express
- Tiny URL
- National Geographic
- Axis Bank
These and many other popular websites are vulnerable to FREAK. If you regularly visit and use these websites you need to be very careful. Researchers have also claimed that 36.7% of browser trusted sites are vulnerable. This effectively means that 1 in 3 sites that you visit could be at risk. Another good source for further reading on FREAK is this blog post issued by Matt Green, a Johns Hopkins cryptographer who is investigating this flaw.
FREAK comes along at a time when authorities all over the world are already struggling with the moral issue of gaining access into people’s personal devices and accounts for law enforcement purposes. They are also dealing with strong encryption technology implemented by device makers and their disagreement to grant these ‘open doors’ into devices.
The Quick Heal Threat Research Labs are also investigating this flaw further and we will be posting updates on FREAK from time to time.