'Freak' Security flaw allowed hackers to steal passwords and personal data from iPhone and Android users for past 10 years

iPhones, Androids and Mac contained a backdoor because US forbade exports of devices with strong encryption #Freak Vulnerability

Shocking but true, Android, iPhone and Mac users around the world have been exposed to a security risk for past 10 years allowing hackers to steal passwords and other personal data, because of a U.S. policy that forbade the export of devices containing “strong encryption” outside of the country.

Researchers who have published their report on SmackTLS, state that this flaw existed from 10 years and Google Inc. and Apple Inc. are now trying to fix this vulnerability.

A group of cryptographers at INRIA, Microsoft Research and IMDEA have discovered some serious vulnerabilities in OpenSSL (e.g., Android) clients and Apple TLS/SSL clients (e.g., Safari) that allow a ‘man in the middle attacker’ (MiTM) to downgrade connections from ‘strong’ RSA to ‘export-grade’ RSA.  The researchers say that this flaw was possible because US government did not want encrypted devices to be exported outside of United States.

Any Android, iPhone or Mac user who visited government websites like Whitehouse.gov, NSA.gov and FBI.gov as well as many other popular websites around the world was exposed to this flaw. The researchers found that the flaw forced browsers to accept an easily broken security standard and then make the device vulnerable. Once the device was vulnerable, it could be hijacked by cyber criminals within hours, the researchers state.

Explaining the whole concept, the researchers stated that due to ‘export grade’ RSA, a hole in web browser security allowed the group to steal passwords and personal data from individuals. It also opened doors for further exploitation with a mass attack.

The security flaw, which affects Apple’s Safari web browser for iOS and Mac, as well as Google’s stock web browser for Android does not affect Chrome and Internet Explorer.

The flaw which was first reported by Washington Post is being fixed by Apple in Safari web browser in a update next week.  Google said that it had already provided a patch for Android to its smartphone manufacturers. However the problem for Android users is multitude as they have to wait for their smartphone manufacturer to issue the patch and most large and small manufacturers hardly seem to be interested in releasing such patches.

Also Google has said that it will not provide patches for Android 4.3 Jellybean and below smartphones for WebView component which forms a vital part of default Android browser. Therefore these 1 billion+ smartphones will remain vulnerable, if they are in circulation because Google wont be providing updates for them.

Of the websites, FBI.gov and Whitehouse.gov have been fixed, according to Cryptography Engineering, while NSA.gov remains vulnerable to such vulnerability.

LEAVE A REPLY

Please enter your comment!
Please enter your name here