In a recent discovery by French researchers in conjunction with Microsoft Research, the SSL/TLS protocols used to encrypt connections between browsers and website servers were found to be vulnerable on a variety of commonly used operating systems and browsers, including Google’s mobile OS, Windows Internet Explorer (IE) and Apple’s Safari.
The vulnerability, called the FREAK (Factoring attack on RSA-EXPORT keys) encryption bug weakens encrypted connections between computers and websites, allowing hackers to intercept traffic and steal confidential user data. Any application that uses a version of OpenSSL prior to the 1.01.k update is susceptible to the bug. Servers that accept the RSA-EXPORT cipher suites are also at risk.
Although FREAK has been around since the 1990s, it wasn’t made public until the beginning of March. The vulnerability was the result of encryption export laws that have since been overturned. The laws were meant to enforce national security by making sure any encryption methods shipped overseas could be busted by the government. Priorities have changed and the laws were removed, but some browsers and servers still support the lax standards. FREAK essentially allows hackers to downgrade the security of connections from strong encryption to that of the weaker levels, such as the 512-bit key.
How does this work exactly? A perpetrator can conduct a wireless man-in-the-middle attack by hacking into a public WiFi network (oftentimes found in public places such as a coffee shop or airport) and intercept data from unsuspecting parties. By leveraging weaknesses in the SSL/TLS protocol, the weaker, 512-bit key can be revealed and data traffic can then be decrypted.
Microsoft has recently admitted that some of its computers are vulnerable to the flaw, putting hundreds of millions of users at risk. The software giant has stated that the bug affects all supported versions of Windows. On March 10, Microsoft patched Windows to prevent any possible FREAK attacks against users of IE. This update follows patches by Apple to OS X and iOS to protect users of its Safari browser. Google has also patched its Chrome browser on Windows, OS X and Linux.
Although OpenSSL is designed to enhance security, it has recently been involved in a number of high-profile security vulnerabilities, such as Heartbleed. As it is nearly impossible to completely protect ourselves from becoming a victim of a security breach, offering easy to use, encrypted wireless for BYOD users has never been more important.