Friday, 6 March 2015

Hundreds of Millions of iPhone, iPad and Android users at Risk from the Decades Old Security Bug – ‘The Freak’

According to the latest reports, researchers have uncovered a new vulnerability in the way our data is protected online known as ‘The Freak’. We say new, but actually the bug, which affects HTTPS encr

According to the latest reports, researchers have uncovered a new vulnerability in the way our data is protected online known as ‘The Freak’. We say new, but actually the bug, which affects HTTPS encrypted communication online, is believed to have been around for decades, despite only being uncovered on 3rd March 2015. If exploited, this bug could give hackers access to people’s login details and banking information and puts iPhone, iPad and other smartphone users particularly at risk.

What is ‘The Freak’?

‘The Freak’ is the latest security flaw to be discovered in the cryptographic protocols that are designed to encrypt online communications (you may know them as SSL and TLS). The vulnerability has been found to be common in OpenSSL, the same protocol that was at the centre of the ‘Heartbleed’ security scare last year.

How was ‘The Freak’ discovered?

Researchers at the French Institute for Research in Computer Science and Automation, Microsoft Research and IMDEA discovered the vulnerability on Tuesday 3rd March; however, it is believed to have been round since the early 1990s.

Some experts are saying that the vulnerability is a result of the US government deciding they wanted to weaken the encryption standards on products being shipped overseas by US companies. Apparently they required companies to downgrade the encryption being used from a strong RSA grade encryption to what was known as ‘export grade’ encryption. This was still a strong encryption, however, it could be cracked by a supercomputer using a 512-bit encryption key, meaning only the likes of the US government could exploit the vulnerability.

However, over the years, technology has advanced and with access to computing power through Cloud computing services, anyone could potentially exploit the vulnerability in 2015.

Who is most vulnerable to ‘The Freak’ bug?

Researchers are saying that the people most vulnerable to ‘The Freak’ bug are users of Apple’s Safari web browser on iPhone, iPad and Mac devices. They have also said that users of Android devices are vulnerable, as Google uses the OpenSSL protocol as part of its mobile operating system. This basically means that hundreds of millions of people using these devices are at risk, should hackers exploit the vulnerability.

Users of Chrome desktop browser, Internet Explore and Mozilla Firefox are not vulnerable to ‘The Freak’ bug.

Looking at servers, the researchers have said that around 10% of the internet’s top million websites are likely to be at risk. This has already fallen from 12.2% since Tuesday, showing that website administrations are proactively taking action. Unfortunately, there are still a number of major banking, media and government websites that are potentially affected, including American Express, Business Insider and IB Times UK.

How can it be exploited?

‘The Freak’ bug can be exploited through what is known as a ‘man in the middle’ attack. This basically means that if a hacker is sitting on the same network as a user, they can intercept their encrypted communications between a vulnerable device and a vulnerable website and view it as plain text.

If a user visits one of the affected websites using one of the vulnerable web browsers, then they could be at risk from a hack. All the hacker needs to do is force the website to use the ‘export grade’ encryption ciphers we mentioned earlier to attain the information they require.

What’s being done about ‘The Freak’?

Apple was very quick to respond to news of the vulnerability and said they were working on a fix for both iOS and OS X that will be available in software updates next week. Google has said that it has already issued a fix, which has been sent to device makers and wireless carriers.

The researchers have also advised website administrators to disable support for any export suites, including RSA export cipher suites and all known insecure ciphers.

Do I need to stop using my device?

Although iPhone, iPad, Mac and Android device users are potentially at risk, the general consensus is that users can keep using their devices. Although an attack is possible, it would require the hacker to go to a lot of trouble and since a fix is imminent, you are likely to remain safe for the next week or so.

One of the best ways to keep your information protected from ‘The Freak’ bug is to avoid logging onto public Wi-Fi networks. We also highly recommend updating your browser once Apple and Google issue their fixes in the coming week.

Are you concerned about ‘The Freak’? If you have any questions about this particular vulnerability or simply want to learn more about the security solutions we provide, feel free to get in touch with the Grant McGregor team today.

Image source: https://farm8.staticflickr.com/7475/15855653380_74bb9bbf33.jpg

Image credit: perspec_photo88