EncryptionHackers exploit 1990s-era weak-encryption mandate
Researchers have an old-new computer security vulnerability — the Factoring Attack on RSA-EXPORT Keys (FREAK), which affects SSL/TLS protocols used to encrypt data as it is transmitted over the Internet. The FREAK vulnerability goes back to an early 1990s U.S. restriction which limited software sold abroad to a maximum 512-bit code encryption. The mandate was set to allow U.S. federal intelligence agencies easily to spy on foreign software users.
Almost a year after the discovery of the Heartbleed bug, researchers have identified another computer software security flaw which allows hackers to intercept secured communications. The Factoring Attack on RSA-EXPORT Keys (FREAK) affects SSL/TLS protocols used to encrypt data as it is transmitted over the Internet and puts at risk private information including passwords and banking information.
The FREAK vulnerability goes back to an early 1990s U.S. restriction which limited software sold abroad to a maximum 512-bit code encryption. According toUSA Today, that mandate was set to allow U.S. federal intelligence agencies easily to spy on foreign software users. The restriction was ended in the late 1990s following criticism and protest by the technology community, but many software developers continued to use the weaker encryption code.
About five million Web sites are vulnerable to the FREAK flaw, which has existed for many years, but was just uncovered by researchers at the INRIA computer science lab in France.
Computers connected to the Web communicate with servers on how best to protect data, but due to the FREAK flaw, some software, including Apple’s Secure Transport, can be manipulated into accepting the weaker encryption program, which can then be hacked. Such “man-in-the-middle” attacks are used to steal data and decode what victims believe is protected, encrypted communications. Internet users are particularly vulnerable to this type of attack when relying on public Wi-Fi services. While it is easy for hackers to exploit the FREAK flaw, software developers can use stronger encryption programs including the 1024-bit and the stronger 2048-bit program.
The discovery comes just as FBI head James Comey is asking technology and software developers to build backdoors in the security of their products so that intelligence agencies can readily decrypt data for reasons of national security. Cybersecurity professionals fear that developer-approved backdoors could one day be misused by criminal hackers or foreign countries. “You cannot have a secure and an insecure mode at the same time… What we’ve seen is that those flaws will ultimately impact all users,” said Christopher Soghoian, principal technologist for the American Civil Liberties Union.