US policy exposes Apple and Google devices to Freak attack

An old US policy requiring weaker encryption for export products is exposing millions of Apple and Google devices, say researchers

An old US policy requiring weaker encryption for export products is exposing millions of iPhones, Android devices, Mac OS X computers and around 97,000 websites to attack, say researchers.

Although the policy was aimed at the export market in the 1990s and has since been discontinued, products and services using the weakened cryptography are still to be found, including inside the US.

The latest SSL vulnerability to be discovered allows attackers to intercept HTTPS connections between vulnerable devices and web servers of supposedly secure websites.

Researchers have found that once intercepted, the connnections can be forced to use export-grade cryptography, even if the weak algorithms are disabled by default.

This weakened cryptography could be cracked within hours using cloud computing capacity that could be hired for $100 or less, cryptographer Matthew Green told the Washington Post.

Once cracked, hackers could steal passwords and other personal information and potentially launch a broader attack on the websites themselves, the researchers warned.

About a third of encrypted websites or 12% of all websites are believed to be vulnerable, including several banks, media sites and government agencies.

Independent security consultant Graham Cluley said all organisations that run websites should disable support for any export suites on their web servers.

“ suggests that instead of simply excluding RSA export cipher suites, administrators should disable support for all known insecure ciphers and enable forward secrecy,” he said in a blog post.

Read more about SSL vulnerabilities

Apple and Google are working to create a fix for the vulnerability, dubbed Freak or Factoring Attack on RSA Export Keys, that has been registered as CVE-2015-0204.

Although the vulnerability has existed for more than a decade, researchers said there is no evidence any attackers have exploited the weakness to date.

Researchers have been alerting affected government agencies and companies in the past few weeks to enable them to correct the problem before it became public.

However, cloud services firm Akamai reported on efforts to mitigate the problem in a blog post earlier this week, making the issue public sooner than the researchers had planned, reported the Washington Post.

The and websites have been fixed, but other government sites are believed to still be vulnerable.

Apple is reportedly preparing a security patch that will be in place next week and Google has provided a patch to makers of Android devices which will be responsible for its deployment.

Only the browser in Android devices is vulnerable to the Freak bug. Google’s Chrome browser is not vulnerable and connections to Google's search website are not affected, the company said.

Researchers said browsers from Microsoft or Firefox-maker Mozilla are also not affected.

The vulnerability is the latest in a series of weaknesses that have been discovered in SSL/TLS, the technology that was designed to keep online transactions secure.

Apple patched a critical SSL flaw in iOS and Mac OS about a year ago, but that has since been followed by other SSL flaws better known as Heartbleed, Poodle, Superfish and PrivDog.

Read more on Privacy and data protection