WASHINGTON — A reader asked Data Doctors’ Ken Colburn about a new smartphone security risk:
What exactly is the FREAK security flaw that’s been discovered on smartphones, and what do I need to do about it?
A team of security researchers and cryptographers has discovered a security flaw that dates back to the early days of the Internet that exists in many popular browsers.
Users of Safari on Mac and iOS devices, as well as stock browsers on many Android devices, could be vulnerable when they visit certain secure websites that start with https://.
It’s being called ‘FREAK,’ short for “Factoring attack on RSA-EXPORT Key,” and it’s the remnants of the U.S. government’s restriction on the export of strong encryption in the 1990s.
This forced developers to devise a system that could deliver strong encryption for US-based users and weaker encryption for foreign users, in an attempt to allow the government to better monitor the Internet activity of foreign users by not allowing them to use our more powerful encryption.
The requirement was later dropped, but by that time this dual encryption delivery system became a standard part of Web browsers.
Today, this legacy design still exists in some popular programs, leaving users of these programs vulnerable to some pretty serious exploitation on sites that they may assume are secure.
We’ve all been told to look for the https:// at the beginning of a web address as a sign that the connection between us and the website is secure, but the researchers found a way to exploit this legacy issue. They discovered that they could force browsers to use the older weaker encryption, then crack it over the course of a couple hours, then steal password and personal information and even take over websites themselves to further their attacks.
The researchers have been scanning websites around the Internet to see how many may be using this exploitable hole. They found that about 10 percent of the million most popular secure sites — almost 40 percent of sites that your browser would trust — to be vulnerable.
The good news so far is, they’ve haven’t seen evidence of any exploits in the wild; the bad news is, it’s just a matter of time.
If you have a Mac computer, iPhone, iPad or iPod Touch and you still use the Safari browser, or the default browser on many Android devices, you’re the most vulnerable. Users of current versions of Internet Explorer, Chrome or Firefox are not at risk.
I’ve always recommended the use of either Chrome or Firefox for any computer or mobile device, because I like some of the built-in unique security features, so if you’re a Mac, iOS or Android user, I’d strongly recommend that you switch permanently.
To reduce the confusion on which devices you own that might be at risk, take a minute to visit https://freakattack.com on everything you own.
The website will test your browser and let you know if what you are using is potentially vulnerable. If you’re using an older version of Internet Explorer, Chrome or Firefox, you may need to update it in order to protect yourself.
Apple and Google are reportedly working on fixes, so in the next week or so, you need to make sure to download the updates when they are posted.
If you’re a webmaster, the https://freakattack.com site has posted recommendations for what you should do to disable the exploit on your web server.
Ken Colburn is founder and CEO of Data Doctors Computer Services. Ask any tech question you have on his Facebook Page.
