Apple, Android Prep 'Freak' FixExploiting Crypto Flaw Breaks HTTPS on Devices, Sites
Numerous Apple and Android devices, as well as websites, are vulnerable to a serious flaw, which an attacker could exploit to subvert secure Web connections. The flaw exists in SSL and TLS and results from the ability to force crypto suites to downgrade from using a "strong" RSA cipher to a weaker, "export-grade" RSA cipher.
"In case you're not familiar with SSL and its successor TLS, what you should know is that they're the most important security protocols on the Internet," Johns Hopkins University cryptographer Matthew D. Green says in a blog post. "In a world full of untrusted networks, SSL and TLS are what makes modern communication possible."
Security researchers warn that the flaw exists in versions of OpenSSL prior to 1.0.1k, and affects all Android devices that ship with the standard browser, although they say Google Chrome is immune. The flaw also exists in Apple TLS/SSL clients, which are used by both Mac OS X clients, as well as iOS mobile devices. The vulnerability has been designated as CVE-2015-0204.
Researchers say it's not clear how many users, devices or websites are vulnerable to the Freak flaw, or if it has yet been exploited in the wild. But 6 percent - or 64,192 - of the world's 1 million most popular websites (as ranked by Amazon.com Web traffic monitoring subsidiary Alexa) are currently vulnerable to the flaw, according to the Tracking the Freak Attack site, which is run by researchers at the University of Michigan, and can be used to check if clients are vulnerable to Freak attacks.
Researchers from French computer science lab INRIA, Spanish computer lab IMDEA and Microsoft Research have been credited with discovering the flaw and detailing how it can be exploited. "You are vulnerable if you use a Web browser that uses a buggy TLS library to connect, over an insecure network, to an HTTPS server that offers export ciphersuites," they say. "If you use Chrome or Firefox to connect to a site that only offers strong ciphers, you are probably not affected."
In recent weeks, the researchers - together with Green - have been alerting affected organizations and governments. Websites such as Whitehouse.gov, FBI.gov, and connect.facebook.net - which implements the Facebook "like" functionality - were vulnerable to related attacks, but have now been fixed, Green says. But he notes that numerous sites, including the public-facing NSA.gov website, remain vulnerable.
Apple, Google Prep Patches
Apple tells Information Security Media Group that it is prepping a patch, which it plans to release next week. OpenSSL released a related patch in January, and content delivery networks - such as Akamai - say they've either put fixes in place or will do so soon.
While Google didn't immediately respond to a related request for comment, a spokeswoman tells Reuters that the company has already prepped an Android patch and distributed it via the Android Open Source Project to its business partners. She notes that it's now up to those businesses - which include such equipment manufacturers as Samsung, HTC, Sony, Asus and Acer - to prep and distribute patches to their customers. But while some OEMs have a good track record at prepping and releasing patches in a timely manner, others delay, or never release patches.
Businesses and users should install related patches as quickly as possible, says information security consultant and SANS Institute instructor Mark Hofman in a blog post. "To prevent your site from being used in this attack you'll need to patch OpenSLL - yes, again. This issue will remain until systems have been patched and updated, not just servers, but also client software," he says. "Client software should be updated soon - hopefully - but there will no doubt be devices that will be vulnerable to this attack for years to come - looking at you Android.
Crypto Wars 1.0 Legacy
Experts say that the Freak flaw is a legacy of the days when the U.S. government restricted the export of strong encryption. "The SSL protocol itself was deliberately designed to be broken," Green says, because when SSL was first invented at Netscape, the U.S. government regulated the export of strong crypto. Businesses were required to use the relatively weak maximum key length of 512 bits if they wanted to ship their products outside the country.
While those export restrictions were eventually lifted, and many developers began using strong crypto by default, the export-grade ciphers still linger - for example in previous versions of OpenSSL - and can be used to launch man-in-the-middle attacks that force clients to downgrade to the weak crypto, which attackers can crack. "The researchers have identified a method of forcing the exchange between a client and server to use these weak ciphers, even if the cipher suite is not 'officially' supported," Hofman says.
The researchers who discovered the Freak flaw have published a proof-of-concept exploit on the SmackTLS website, demonstrating a tool they developed, together with a "factoring as a service" capability they built and hosted on a cluster of Amazon Elastic Compute Cloud - EC2 - servers. The exploit was first used against the NSA.gov website. "Since the NSA was the organization that demanded export-grade crypto, it's only fitting that they should be the first site affected by this vulnerability," Green says. Cracking the key for the NSA.gov website - which, it should be noted, is hosted by Akamai - took 7.5 hours, and cost $104 in EC2 power, he adds. Were the researchers to refine their tools, both the required time and cost to execute such attacks would likely decrease.
The researchers have reportedly been quietly sounding related alerts about the Freak flaw in recent weeks to vulnerable governments and businesses, hoping to keep it quiet so that patches could be rolled out in a widespread manner before news of the flaw went fully public. But The Washington Post reports that Akamai published a blog post on March 2, written by its principal engineer, Rich Salz, which brought attention to the problem sooner than the researchers had hoped.
Moral: Encryption Backdoors
In the post-Snowden era, many technology giants have moved to use strong encryption wherever possible, in part to assuage customers' concerns that the NSA could easily tap their communications. Apple and Google also began releasing mobile devices that use - or could be set to use - strong crypto by default. And many U.S. and U.K. government officials have reacted with alarm to these moves. Often citing terrorism and child-abuse concerns, many have demanded that the technology firms weaken their crypto by building in backdoors that government agencies could access.
But Green says the Freak flaw demonstrates how any attempt to meddle with strong crypto can put the user of every mobile device, Internet browser or website at risk. "To be blunt about it, the moral is pretty simple: Encryption backdoors will always turn around and bite you ..." he says. "They are never worth it."