FREAK Flaw Leaves Web Sites and Mobile Devices Exposed

Many web sites and mobile devices are at risk of electronic attack thanks to a newly discovered security vulnerability that dates back to the 1990s. Dubbed FREAK, this vulnerability was inadvertently caused by the lifting of strong encryption requirements for products exported from the United States over two decades ago.

FREAK—for “Factoring Attack on RSA-EXPORT Keys”—was discovered by cryptographers at INRIA (the French Institute for Research in Computer Science and Automation), Microsoft Research and IMDEA (Spain). It is a set of vulnerabilities in OpenSSL on the web, and on Android and on Apple systems including iOS, which allow man in the middle attacks similar to those made possible by the Superfish malware that Lenovo was distributing on its PCs. Ironically, this vulnerability is present in many US government sites.

Basically, hackers can downgrade secure encrypted connections to “export-grade” (512 bit) encryption—itself dating back to the 1980s—which is fairly easy to exploit with a brute force attack. The cryptographers were able to crack this weak encryption in just over seven hours using a block of Amazon-hosted virtual machines at a cost of about $100. And this all works because of bugs in modern OpenSSL clients that cause them to accept vulnerable export-grade encryption keys.

Curiously, these bugs are tied to US government policy from the early 1990s: at the time, the United States had strict rules regarding the distribution of encryption products outside the country, and it required companies doing so to deliberately weaken the strength of those keys to 512 bits so that the NSA could still intercept supposed secure communications. Inside the US, companies—and the government—could and did use stronger encryption. But because of this two-tier system, companies built software that could decipher both strong and weak encryption keys.

The US eventually lifted its ban on exporting strong encryption—one imagines the NSA simply built stronger computers for thwarting it more quickly—but the software for decrypting those weak export-grade keys has sat untouched ever since. And bugs in that code now let attackers turn off today’s strong encryption in modern technology products and web sites and revert to the 1990’s-era export-grade encryption instead, making those systems vulnerable.

“Encryption backdoors never quite work out the way you want them to,” cryptographer Matthew Green writes in a bog post describing the flaw. “It seems that [export-grade encryption] is supported by as many as 36.7 percent (!!!!) of the 14 million sites serving browser-trusted certifications. The vast majority of these sites appear to be content distribution networks (CDNs) like Akamai. Those CDNs are now in the process of removing export grade suites.”

If you enjoy a bit of irony, it may amuse you to discover that the security researchers who discovered this vulnerability used it to downgrade the encryption on the NSA’s web site to 512 bits. “Since the NSA was the organization that demanded export-grade crypto, it’s only fitting that they should be the first site affected by this vulnerability,” Green explained. The hack only required “a few hours of factoring.”

While there is no evidence that hackers have already exploited the vulnerability, the responsible parties are rushing to make sure it never happens. A patch to the latest version of OpenSSL, which was released in January, negates this vulnerability. Akamai and other CDNs are currently patching their systems. Google has already shipped a patch for Android (though Google Chrome is not vulnerable; these flaws impact the non-Chrome Android web browser). And Apple says it’s working on a fix as well.

But with US and EU lawmakers currently considering a new round of encryption backdoors, especially on mobile devices which are starting to ship from the factory with strong encryption, Green has a bit of advice.

“Encryption backdoors will always turn around and bite you in the ass,” he explains. “They are never worth it.”