Time to FREAK Out?
Author(s): Dave Frymier, Posted on March 10th, 2015
Another day, another media-hyped vulnerability supposedly threatening the viability of the Internet. This latest one originated with attempts by the US government to control (read “weaken”) the level of encryption in products exported outside the United States. One of the ways the weakening was done was by limiting the key length to 512 bits. When the government realized this was hurting American products in the global marketplace, the export restrictions were mostly eased by the year 2000.
What remains of this bad idea is a version of one of the peskiest problems in IT – backward compatibility. How do you eliminate a feature, but not break already deployed equipment that expects to use it? The answer is to provide an option to support the discontinued feature – at least for a while. That brings us to today’s problem – FREAK, which stands for Factoring attack on RSA-EXPORT Keys. Yes, I know, that’s not an acronym – but hey – it’s catchy.
To exploit this vulnerability, attackers need to position themselves between a server and a client that both allow negotiation protocols to support the backward compatible export control libraries that allow 512 bit keys (today’s usual key length is 2,048 bits). The server and client endpoints don’t realize the attacker is between them – the attacker sends them both negotiation parameters to set the 512 bit key length. The attacker then records the resulting encrypted traffic stream. Where would this be practical to do? How about a Starbucks … or a hotel lobby? Anywhere people attach to an unsecured wireless access point, a man in the middle can establish himself by setting up a rogue access point that “looks” like the real one.
Now here comes the amazing part – at least to me. Computerworld reports that it is possible to buy virtual machines and storage from a cloud service provider (they reference Amazon EC2) that make it possible to brute force (try all the combinations) the encryption key in a few hours and for less than $100. Contrast that with the time to brute force a 2,048 bit key being longer than the age of the universe. What would an attacker get for this? They could get a lot of things – but the good stuff is credentials. Log-ins for consumer e-mail accounts, financial institutions, health care patient portals – anywhere people go on their computers that supports the old protocols.
What does this mean for enterprises? Microsoft has announced it is working on a patch, and Apple is releasing a fix through the app store, so enterprises should be sure to apply those as soon as they arrive. In the meantime, users should be careful about putting themselves in situations where network traffic could be intercepted. Unsecured wireless access points (where you don’t have to enter a password or a key) are the most obvious situations to avoid.