A new exploit dubbed ‘FREAK Attack’ — which stands for “Factoring attack on RSA-EXPORT Keys” — that takes advantage of a security flaw dating back to the 1990s will be patched soon by Apple.
As we speak, the iPhone maker is readying a fix in iOS and OS X that will be available in software updates next week, a spokesperson for the Cupertino firm told iMore.
Plagued by this security flaw, users of Mac, iPhone, iPad, iPod touch and Android devices are at risk when visiting vulnerable websites that downgrade a secure HTTPS connection to a weaker encryption method.
The Cupertino firm is aware of the exploit in its Safari browser for OS X and iOS.
Vulnerable websites include some of the biggest brands and online properties like AmEx, Airtel, Bloomberg, Business Insider, Groupon, Marriott and many more.
The exploit was publicized yesterday, but Apple is obviously moving swiftly to address the problem, an encouraging sign indeed.
“We have a fix in iOS and OS X,” an Apple spokesperson told iMore, “that will be available in software updates next week.”
The statement was echoed by Re/code, quoting Apple spokesman Ryan James as saying that Apple “had developed a software update to remediate the vulnerability, and it will be pushed out next week.”
“Next week” is probably Monday.
On March 9, Apple should detail the Watch at the “Spring Forward” media event in San Francisco’s Yerba Buena Center for the Arts.
A pair of software updates for iOS and OS X enabling Watch compatibility should be pushed out shortly following the presentation.
According to the FREAKAttack.com website, clients prone to this vulnerability don’t just include many Google and Apple devices which use unpatched OpenSSL, but a large number of embedded systems and “many other software products that use TLS behind the scenes without disabling the vulnerable cryptographic suites.”
Though disclosed by researchers yesterday, this vulnerability has somehow managed to go unnoticed for more than a decade.
Back then, the U.S. government required software vendors to use the weaker 512-bit encryption in products sold overseas. The policy, designed to prevent the export of strong encryption, was in place until the late-1990s.
Matthew D. Green, a Johns Hopkins cryptographer who helped investigate the encryption flaw, told The Washington Post that any government requirement to weaken security adds complexity that hackers can tap into.
“You’re going to add gasoline onto a fire,“ said Green. “When we say this is going to make things weaker, we’re saying this for a reason.”
Even though the U.S. government’s restrictions were lifted in the late 1990s, the weaker encryption “got baked into widely used software that proliferated around the world and back into the United States, apparently unnoticed until this year,” wrote the paper.
Apple has infuriated government officials with its unwavering stance on user security, especially after it started enforcing device encryption by default beginning with iOS 8.
Encryption makes user data and files stored on the device unreadable without an encryption key derived from a passcode.
Although Google originally promised to enable encryption on every Android 5.0 Lollipop device, the firm has changed its position recently and now says encrypted storage is coming in “future versions of Android.”
According to ArsTechnica, enabling disk encryption as a standard feature in Android 5.0 Lollipop would severely degrade system performance, even on Google’s own Nexus-branded smartphones and tablets.
“Our review of the Nexus 6 showed that the new phone could be slower than the old Nexus 5 in certain tasks, and AnandTech supplied additional numbers that showed just how severe the performance impact was,” noted the publication.
Encryption on mobile devices depends on a dedicated hardware component and fast flash storage. Apple has both. Custom-designed processors Apple uses in iOS devices let it coordinate the software and hardware better than other companies that use off-the-shelf component, and in ways specifically designed with user security in mind.