FREAK! Android, iOS users vulnerable to security threats?

Kaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions ranked among the world’s top four vendors of security solutions for endpoint users.

Mr. Patrick Nielsen, Senior Security Researcher at Kaspersky Lab has shared some important points on FREAK vulnerability for your reference.

1. What is the main impact of this vulnerability? Is it as big as Poodle or Heartbleed?

It’s like a combination of Heartbleed and Apple’s “goto fail.” It relies on both servers and clients being vulnerable to perform the MITM attack: both the server and client need to accept (usually accidentally, due to client bugs and server misconfigurations, and with the “help” of the MITM) a very weak (“export”-grade) cryptographic setup for the session. After the session is set up, the attacker just needs to listen, and can then crack the weakly encrypted traffic later. It is the 90s cryptowars coming back to bite us.

The good news: As far as I can tell, this attack is different from Heartbleed in that it does not leak the private keys of the server. Server administrators don’t need to revoke and reissue their certificates like they did with Heartbleed; they just need to make sure that they don’t allow export crypto (which is blocked by default since TLSv.1.1) in their cipher mode setup, and that will prevent future MITM attacks against them.

Furthermore, and a big reason why I don’t think this is as serious as the other attacks, is that client updates will solve the problem as well (like with “goto fail.”) If you use a modern browser and keep it up-to-date, wait a few days and this attack will be largely irrelevant to you, even if servers remain vulnerable, because the bugs allowing the MITM trickery will be fixed.

I recommend server administrators follow these tips to harden their cipher mode setup:https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations

2. Are Android and--or iOS users in danger? Why?

Yes, Apple’s SecureTransport (used in iOS) and OpenSSL (used in Android’s “Browser”/”Internet”) are both vulnerable. Apple users should install updates as soon as they’re available. Android users should do the same, but should also make sure to switch to Google Chrome (or another browser), which is not vulnerable, and is not part of the base system (so is not subject to all the problems Android has with releasing security updates due to the complicated release model.) This is my biggest concern, by far: Many, many Android users using the default browser will be vulnerable for a long time/forever because updates never reach them (either due to their devices being obsolete, or because service providers/OEMs don’t push out the updates), and thus will have to rely on server configurations being fixed.

How to protect yourself from this vulnerability?

Use one of the major browsers and make sure it’s up-to-date. On Android, do not use the default browser as it has many vulnerabilities now and may not receive updates. Instead switch to the Google Chrome app.