14 DAY TRIAL // A serious vulnerability identified in the implementation of the SSL/TLS protocols used on Apple and Android devices to establish a secure connection can be abused in a man-in-the-middle (MitM) attack to force the use of easy-to-crack RSA keys.
The attack has been dubbed FREAK (Factoring RSA Export Keys) and relies on a now-abandoned policy from 1990 that required weak encryption keys to be used in software and hardware products exported from the US.
To achieve this, “export-grade” cryptography was implemented in the SSL protocol, which consisted in adding on purpose cipher suites that used easy-to-break keys for the encryption. These were marked with the prefix “EXP.”
Weak crypto key cracked in seven hours
Hackers in a position to intercept traffic exchanged between vulnerable clients and servers (Safari and OpenSSL-based web browsers) could force a downgrade of the strong encryption key used to protect the traffic to a weaker one.
The resulting export-grade RSA key securing the connection is 512-bits large, which used to be quite strong back then, but due to technological advancements today, it can be decoded in a little over seven hours.
The test was carried out by the researchers on a cluster of EC2 virtual servers and cost about $100 / €90, says Matthew Green, cryptographer and research professor at Johns Hopkins University.
NSA, FBI, other .gov websites are vulnerable
Although the specification is no longer used, it remains supported in OpenSSL and Apple’s Security Transport, potentially putting at risk the secure connection to HTTPS websites.
The flaw (CVE-2015-0204) has been discovered by Karthikeyan Bhargavan from INRIA research institute in France and Microsoft Research team. They have found that the websites of many US government agencies, such as NSA and FBI, are vulnerable.
“Other than websites, HTTPS servers that enable export ciphersuites include those that host popular third-party JavaScript, such as the Facebook JavaScript SDK (loaded in most sites that use Facebook's Like or Login button),” the researchers say.
A list with vulnerable websites has been compiled, based on their Alexa rank, and it includes domains like SEC.gov, Senat.gov, USAJobs.gov, Ohio.goc, WhiteHouse.gov, MIT.edu, Marriott.com, AxisBank.com and AmericanExpress.com. Users are also offered the possibility to test if their web browser is affected by the FREAK attack and check the supported cipher suites.
Akamai fixes issue on their side, Apple prepares patch
Akamai cloud platform, which is also used by NSA’s website, announced that it patched the flaw on their end and that internal traffic (midgress) was no longer vulnerable. However, it warns that the risk is not completely removed until clients solve the issue too.
Researchers say that the glitch is exploitable on clients using OpenSSL versions prior to 1.0.1k, on Android Browser and Safari web browser (patch is on the way). We tested Chrome for Android (the latest stable build, 40.0.2214.109, available on Google Play since February 5) and the result showed that Google mobile browser was also vulnerable.
Karthikeyan Bhargavan has told us via email that he does not believe that Chrome for Android is vulnerable to the FREAK attack and that the test may be broken.
[UPDATE]: Antoine Delignat-Lavaud from INRIA confirmed that Chrome for Android is indeed vulnerable to the FREAK attack.
Given the large number of users that rely on mobile devices to reach different parts of the web, this increases the potential amount of victims.
According to researchers at the University of Michigan, 36% of the 14 million websites that offer a secure SSL/TLS connection that is certified by web browsers, also support an RSA export cipher suite, making them vulnerable to traffic decryption.
