Microsoft, in conjunction with a French research company called INRIA and a Spanish research institute called IMDEA Software, found an encryption flaw that affects most Internet users. This bug is known as FREAK, which stands for Factoring Attack on RSA-EXPORT Keys. Nearly two decades ago, the federal government wanted a way for law enforcement agencies to conduct surveillance on people in other countries.
They requested that companies create weak encryption standards on their products to export to other countries. The National Security Agency required Netscape to deploy 40-bit cryptography on the international version of their browser, Netscape Navigator. Due to protests from other software developers and the technological community, companies were free to use the same strong encryption standards on national products and international products.
The issue with these restrictions is that American servers needed to support both strong and weak encryption keys so everybody could access information. If someone outside of the US wanted to access a webpage, servers would have to negotiate with browsers and use a weak encryption key to give people access. The idea was that these weak keys would be phased out as more companies use strong encryption standards. However, the FREAK bug lets servers accept weak RSA keys even if servers and browsers can support strong encryption keys. Unfortunately for the NSA, the FREAK vulnerability left their website and other federal websites open to attacks.
The FREAK vulnerability can give hackers a way to interfere with the secure data that’s being transferred from browsers to web servers. FREAK allows hackers to target weak export cipher suites, and lets hackers trick browsers into using weak export keys. The keys used in this old encryption standard are easy to crack, and it could take a hacker about 7 hours to break in. Then hackers can conduct a man-in-the-middle attack after exploiting this vulnerability. Hackers conducting man-in-the-middle attacks can steal confidential information like banking log-ins, and passwords to email addresses. People are especially vulnerable to man-in-the-middle attacks when they’re out using public Wi-Fi, like at a café.
Almost everyone is vulnerable to this encryption bug, including people who access the Internet through their smartphones. Microsoft, Apple, and Blackberry have created patches for their operating systems to fix the bug. Users who access the Internet through the latest version of Chrome are not vulnerable to the attack, but people using Android’s browser on their smartphones are. Google has created a patch for Android users.
Although patches have been created to fix the FREAK vulnerability, this incident demonstrates that businesses need to keep their networks secure. FREAK allows hackers to tamper with the data that’s been transferred between servers and browsers. EiQ Networks’ SecureVue compliance monitoring service gives businesses the tools to build an effective security program. SecureVue detects security issues on network devices, including servers, and ways to remediate vulnerabilities. Companies with a solid cybersecurity plan in place can get ahead of vulnerabilities before hackers find a way to exploit them.