Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

Researchers Find New 'FREAK' Security Flaw, Apple Says Fix Coming Soon

MacRumors

macrumors bot
Original poster
Apr 12, 2001
51,502
13,139



Researchers have recently uncovered a major security flaw in software created by companies like Google and Apple, leaving many devices vulnerable to hacking attempts, reports The Washington Post. Called "FREAK" (Factoring Attack on RSA-EXPORT Keys), the vulnerability stems from a U.S. government policy that once prevented companies from exporting strong encryption, requiring them to instead create weak "export-grade" products to ship to customers outside of the United States.

These restrictions were lifted more than a decade ago, but the weaker encryption has continued to be used by software companies as a result of the old policy and it has even been built into software in the U.S. The existence of lingering "export-grade" encryption was unnoticed until this year, when researchers found they could force browsers to use lower-grade 512-bit encryption and then crack it.

Hackers could potentially employ the same tactic, cracking weak encryption and then stealing passwords and other information. Researchers also believe the vulnerability could be used to launch attacks on and infiltrate major websites. In testing, the export-grade encryption key was breached in seven hours using computers and more than a quarter of encrypted sites were found to be vulnerable.
"We thought of course people stopped using it," said Karthikeyan Bhargavan, a researcher at the French computer science lab INRIA whose team initially found the problem during testing of encryption systems.

Nadia Heninger, a University of Pennsylvania cryptographer, said, "This is basically a zombie from the '90s... I don't think anybody really realized anybody was still supporting these export suites."
As pointed out by The Washington Post, the FREAK vulnerability is an example of the problems that can arise when the government gets involved in device security. Government officials have recently expressed concern over the privacy features that Apple and Google have been building into their smartphones in response to outrage over secretive government surveillance programs like PRISM.

FBI Director James Comey has made remarks suggesting Apple and Google should scale back encryption, as government access to electronic devices is necessary in some cases. He has said that it may matter a "great, great deal" that the government be able to infiltrate the device of a kidnapper, criminal, or terrorist.

The researchers who discovered the flaw have notified government sites and major technology companies to fix the issue before it became widely publicized. FBI.gov and Whitehouse.gov have been fixed, and according to Apple spokeswoman Trudy Miller, Apple is preparing a security patch that will be "in place next week for both its computers and its mobile devices."

Article Link: Researchers Find New 'FREAK' Security Flaw, Apple Says Fix Coming Soon
 

H2SO4

macrumors 601
Nov 4, 2008
4,736
5,854
Pardon???

I mean….
...from a U.S. government policy that once prevented companies from exporting strong encryption, requiring them to instead create weak "export-grade" products to ship to customers outside of the United States

WTF??
 
Comment

ArtOfWarfare

macrumors G3
Nov 26, 2007
9,058
4,994
No impact on Windows?

Also, how did this end up impacting open source software? It seems to me the open source community would just ignore any laws like this (who would be busted for it?) And OS X comes from BSD, which is open source, did it not?

----------

I mean….
...from a U.S. government policy that once prevented companies from exporting strong encryption, requiring them to instead create weak "export-grade" products to ship to customers outside of the United States

WTF??

US software can't be sold in certain countries such as North Korea according to US law. As a result, *nix has a far higher marketshare in NK than most other places (you can't legally install either of the leading OSs, Windows or OS X, there, because they're both from US companies.)
 
Comment

NightFox

macrumors 68020
May 10, 2005
2,435
2,041
Shropshire, UK
I'm still trying to work out how you get from "Factoring Attack on RSA-EXPORT Keys" to FREAK. This is taking acronym creation into a whole new dimension.
 
Comment

Saucesome2000

macrumors 6502
Dec 10, 2014
338
319
Nashville, TN
"the FREAK vulnerability is an example of the problems that can arise when the government gets involved in device security."

It's a good thing no problems could arise if the government ever gets involved in regulating the internet...
 
Comment

MCSN

macrumors regular
Feb 7, 2012
103
0
Kayenta
another one of those security flaw reports where you get the sinking feeling that the hackers that apple and others are fighting are the governments themselves.

let's just put skynet online and get it over with.
 
Comment

AngerDanger

macrumors 603
Dec 9, 2008
5,048
24,742
In testing, the export-grade encryption key was breached in seven hours using computers and more than a quarter of encrypted sites were found to be vulnerable.

For those who are wondering, that's roughly 13.5 hours using bananas, depending on ripeness.
 
Comment

Daveoc64

macrumors 601
Jan 16, 2008
4,072
86
Bristol, UK
I mean….
...from a U.S. government policy that once prevented companies from exporting strong encryption, requiring them to instead create weak "export-grade" products to ship to customers outside of the United States

WTF??

Encryption was effectively classed as a weapon, so shipping it outside of the US, particularly to rogue countries that the US didn't approve of was a big no-no.
 
Comment

Sasparilla

macrumors 68000
Jul 6, 2012
1,516
2,445
"This is basically a zombie from the '90s... I don't think anybody really realized anybody was still supporting these export suites."

I'll bet the NSA knew it was still being used. Course if the vulnerability is there, its there for anyone who wants to use it (criminals, China, NSA etc.).

I was hoping to hear more about the technical details of the vulnerability and how bad this is (i.e. is this in Safari, should we not do secure website use till its fixed?)
 
Comment

Gasu E.

macrumors 601
Mar 20, 2004
4,652
2,687
Not far from Boston, MA.
I mean….
...from a U.S. government policy that once prevented companies from exporting strong encryption, requiring them to instead create weak "export-grade" products to ship to customers outside of the United States

WTF??

This is thirty-year old news.

----------

For those who are wondering, that's roughly 13.5 hours using bananas, depending on ripeness.

Ridiculous comment. Computers are much, much more than twice as fast as bananas in breaking encryption. Maybe they were closer back in the '90s.
 
Last edited:
Comment

sbailey4

macrumors 68040
Dec 5, 2011
3,883
2,074
USA
Apple is preparing a security patch that will be "in place next week for both its computers and its mobile devices."

Guess this answers the "When is iOS 8.2 going to be released" rumor
 
Comment

PBG4 Dude

macrumors 68040
Jul 6, 2007
3,180
2,560
This is thirty-year old news.

----------



Ridiculous comment. Computers are much, much more than twice as fast as bananas in breaking encryption. Maybe they were closer back in the '90s.

Maybe an European banana but I think African bananas can crunch through encryption much faster.
 
Comment

reedmo

macrumors newbie
Dec 25, 2011
12
11
I see Kim Jong Un never got the memo about not buying from a US company...

US software can't be sold in certain countries such as North Korea according to US law. As a result, *nix has a far higher marketshare in NK than most other places (you can't legally install either of the leading OSs, Windows or OS X, there, because they're both from US companies.)
 

Attachments

  • IMG_5485.jpg
    IMG_5485.jpg
    24.9 KB · Views: 196
Comment

Northgrove

macrumors 65816
Aug 3, 2010
1,132
417
"may matter that the government be able to infiltrate the device of a kidnapper, criminal, or a terrorist".

So, in other words "a criminal".

Pay attention to how they try to skew public opinion in their favor by being redundant...

It's also kind of stupid since the big threats are of course not relying on electronical devices supporting mobile networks and all to spread their messages. Couriers, anyone?
 
Comment

IJ Reilly

macrumors P6
Jul 16, 2002
17,889
1,478
Palookaville
As pointed out by The Washington Post, the FREAK vulnerability is an example of the problems that can arise when the government gets involved in device security. Government officials have recently expressed concern over the privacy features that Apple and Google have been building into their smartphones in response to outrage over secretive government surveillance programs like PRISM.

What the WaPo actually pointed out was this:

The problem illuminates the danger of unintended security consequences at a time when top U.S. officials, frustrated by increasingly strong forms of encryption on smartphones, have spoken of requiring technology companies to build “doors” into systems to protect the ability of law enforcement and intelligence agencies to conduct surveillance.

Vaguely similar, not the same. PRISM wan't mentioned at all.

Of more interest to us, and actually mentioned in the article:

Google declined to comment for this story. It typically has more trouble delivering security updates because the company does not sell or manufacture most devices using the Android operating system. Google’s Chrome browser is not vulnerable to the FREAK bug, but the browser that comes built into most Android devices is vulnerable. Connections to Google's search Web site are not affected by the flaw.
 
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.