Decade Old Flaw Threatens Android, iOS Devices Worldwide
Researchers have discovered yet another flaw that has left some Apple and Google devices users vulnerable to attack when visiting supposedly secure websites. The flaw called FREAK is more than a decade old.
FREAK - short for Factoring attack on RSA-EXPORT Key - allows attackers to force iOS and Android devices to downgrade their encrypted connection to use weaker cryptographic keys.
According to researchers, hackers could force browsers to use the weaker encryption and then crack it over the course of just a few hours. Once cracked hackers can steal passwords and other personal information. They can also potentially launch a broader attack on the Websites themselves by taking over elements on a page.
The flaw resulted from a former U.S. government policy that forbade the export of strong encryption and required that weaker "export-grade" products be shipped to customers in other countries, say the researchers who discovered the problem. These restrictions were lifted in the late 1990s, but the weaker encryption got baked into widely used software that proliferated around the world and back into the United States, apparently unnoticed until this year, The Washington Post reported.
Unfortunately, users of iOS and Android mobile devices are going to have to sit tight until Apple and Google push out fixes. Apple will likely have one ready in a few days; as is often the case, the Android rollout may depend on the cooperation of device manufacturers and wireless carriers, Toms Guide noted.