Macbook iPad Air 2 iPhone 6 continuity

A new exploit dubbed ‘FREAK Attack’ — which stands for “Factoring attack on RSA-EXPORT Keys” — that takes advantage of a security flaw dating back to the 1990s will be patched soon by Apple.

As we speak, the iPhone maker is readying a fix in iOS and OS X that will be available in software updates next week, a spokesperson for the Cupertino firm told iMore.

Plagued by this security flaw, users of Mac, iPhone, iPad, iPod touch and Android devices are at risk when visiting vulnerable websites that downgrade a secure HTTPS connection to a weaker encryption method.

The Cupertino firm is aware of the exploit in its Safari browser for OS X and iOS.

Vulnerable websites include some of the biggest brands and online properties like AmEx, Airtel, Bloomberg, Business Insider, Groupon, Marriott and many more.

The exploit was publicized yesterday, but Apple is obviously moving swiftly to address the problem, an encouraging sign indeed.

“We have a fix in iOS and OS X,” an Apple spokesperson told iMore, “that will be available in software updates next week.”

The statement was echoed by Re/code, quoting Apple spokesman Ryan James as saying that Apple “had developed a software update to remediate the vulnerability, and it will be pushed out next week.”

“Next week” is probably Monday.

On March 9, Apple should detail the Watch at the “Spring Forward” media event in San Francisco’s Yerba Buena Center for the Arts.

A pair of software updates for iOS and OS X enabling Watch compatibility should be pushed out shortly following the presentation.

According to the website, clients prone to this vulnerability don’t just include many Google and Apple devices which use unpatched OpenSSL, but a large number of embedded systems and “many other software products that use TLS behind the scenes without disabling the vulnerable cryptographic suites.”

Though disclosed by researchers yesterday, this vulnerability has somehow managed to go unnoticed for more than a decade.

Back then, the U.S. government required software vendors to use the weaker 512-bit encryption in products sold overseas. The policy, designed to prevent the export of strong encryption, was in place until the late-1990s.

Matthew D. Green, a Johns Hopkins cryptographer who helped investigate the encryption flaw, told The Washington Post that any government requirement to weaken security adds complexity that hackers can tap into.

“You’re going to add gasoline onto a fire,“ said Green. “When we say this is going to make things weaker, we’re saying this for a reason.”

Even though the U.S. government’s restrictions were lifted in the late 1990s, the weaker encryption “got baked into widely used software that proliferated around the world and back into the United States, apparently unnoticed until this year,” wrote the paper.

Apple has infuriated government officials with its unwavering stance on user security, especially after it started enforcing device encryption by default beginning with iOS 8.

Encryption makes user data and files stored on the device unreadable without an encryption key derived from a passcode.

Although Google originally promised to enable encryption on every Android 5.0 Lollipop device, the firm has changed its position recently and now says encrypted storage is coming in “future versions of Android.”

According to ArsTechnica, enabling disk encryption as a standard feature in Android 5.0 Lollipop would severely degrade system performance, even on Google’s own Nexus-branded smartphones and tablets.

“Our review of the Nexus 6 showed that the new phone could be slower than the old Nexus 5 in certain tasks, and AnandTech supplied additional numbers that showed just how severe the performance impact was,” noted the publication.

Encryption on mobile devices depends on a dedicated hardware component and fast flash storage. Apple has both. Custom-designed processors Apple uses in iOS devices let it coordinate the software and hardware better than other companies that use off-the-shelf component, and in ways specifically designed with user security in mind.

Source: iMore

  • Merman123

    Was just reading about this. I wonder if the iOS fix is bundled with 8.2 for next week?

  • Digitalfeind

    Hoping Ryan Petrich releases a patch for this.

    • Maxim∑

      why? Jailbreak makes you vulnerable to many things so his patch doesn’t change much

      • Utrarunner5

        It would patch this vulnerability so you would not have to lose your jailbreak. Ryan Petrich did this when iOS 6.0.6 and iOS 7.0.6 came out because of a different SSL security hole.

      • Manuel Molina

        Most people are not interested in to losing a jailbreak, and this update seems important to all users on any electronic device. So a tweak to not only prevent losing the jailbreak and preserve your safety is key.

      • Digitalfeind

        Stock iOS is vulnerable as well. It’s all about what you download.

      • Why do you hope that Ryan Petrich doesn’t release a patch for this?

        If someone can patch a security flaw then why shouldn’t they?

        It’ll make everyones devices more secure…

      • Niclas

        Someones mad cuz he lost his JB ^^

      • Maxim∑

        no, haven’t jailbroken since iOS 6. Until Apple upgrades RAM not even considering it

  • Hugh Jassol

    So does this mean that similar to the heart bleed vulnerability, …Apple will release newly patched iOS versions; even for obsolete devices such as the iPhone 4,( ie 7.1.3)?

  • Andrew

    “Factoring Attack on RSA-EXPORT Keys”

    Would this not be FAREK instead of FREAK? Or at the very least, FREK?