After it emerged last week that the safety and security of Apple's new Apple Pay feature had been comprised by cybercriminals, new reports are revealing that millions more users of Apple and also Google products are vulnerable to so called "FREAK" attacks by hackers. Whilst there is no evidence at the moment to confirm that any hackers are yet to exploit this new found vulnerability in the encryption methods employed by the devices, both Apple and Google are warning their customers and are moving quickly to try to solve the issue. So what is a "FREAK" vulnerability and how could it leave your Apple or Google device open to attacks?
"FREAK" is an acronym of "Factoring attack on RSA-EXPORT Keys", and is a flaw in the SSL (Secure Sockets Layer) and TLS (Transport Layer Security) technologies that allow your device to establish a secure connection across the internet. These security technologies essentially protect your device from being hijacked by hackers or intelligence agencies, who would then be able to access your device and intercept personal communications and collect data. They would also be able to launch attacks on your device, gain access to your passwords, and obtain sensitive information like credit card details that you enter onto what you believe are encrypted websites. This security flaw affects the in built web browsers on Apple and Google devices, and experts predict that over a third of websites (around five million in total) are now vulnerable to attacks because of this security flaw, including major sites like American Express, Groupon and a number of government agencies. However, both companies have said that they will be releasing software updates next week that will resolve the issue and reestablish a secure internet connection.
The "FREAK" vulnerability exists as a hangover from an old American government policy related to the encryption capabilities of electronic devices manufactured specifically for export. This policy required that all devices made for export have weaker security than those made for use in the country, a decision which the US government has stated was made for reasons of "national security", for example to help fight crime or prevent terrorist attacks. These devices only used 512 bit encryption, which has been considered too weak for over a decade, and now most devices use a 2048 bit encryption system. In fact, many experts had assumed that devices using this level of encryption had disappeared altogether. The US government were warned at the time that a policy of this nature could leave the devices open to hackers, who could use it to steal personal and sensitive information. Edward Felten, Professor of Computer Science and Public Affairs at Princeton University, referring to the encryption policy, said that this decision made over "20 years ago" is now "coming back to bite us".
So is this a significant threat to your privacy and security? Matthew D Green, a cryptography researcher at Johns Hopkins University in America, said that the encryption code could be cracked in a few hours using around 75 computers. However, both Apple and Google have made it clear that so far there have been no confirmed cases of hacking due to this flaw, and that they would each issue their own software upgrade over the next week to combat the issue. A number of the affected websites are also taking measures to upgrade their SSL and TLS security systems. If you are using an Apple or Google phone you should take some care until the updates are released and installed on your device, but until there is a confirmed report of an attack, you don't need to worry too much.