The Washington Post reports that a major security flaw, dubbed “FREAK,” has been discovered by researchers in some software, including Apple’s Safari and Google’s Android AOSP browsers, that leaves many devices vulnerable to hacking attempts.
Called “FREAK” (Factoring Attack on RSA-EXPORT Keys), the vulnerability stems from a U.S. government policy that once prevented companies from exporting strong encryption, requiring them to instead create weak “export-grade” products to ship to customers outside of the United States.
While the restrictions were lifted more than a decade ago, software companies continued to use the weaker encryption, and has even been used in software intended for use in the United States. The continued existence of the “export-grade” encryption went unnoticed until recently, when researchers found they could force browsers to use the lower-grade encryption, and then crack it.
Hackers could potentially use the same tactic to allow them to steal passwords and other personal information, as well as launch attacks on websites. In testing, the export-grade encryption key was cracked in seven hours, and more than a quarter of encrypted sites were found to be vulnerable.
“We thought of course people stopped using it,” said Karthikeyan Bhargavan, a researcher at the French computer science lab INRIA whose team initially found the problem during testing of encryption systems.
Apple is creating a client-side patch for the issue on both iOS and OS X likely ready by next week, while the INRIA, IMDEA, and Microsoft researchers who discovered the flaw have been working to notify hosts who are still serving export ciphers.