In early January 2015, OpenSSL released a security update that gained little worldwide attention. Buried within the list of threats, with a severity rated “Low,” was this short blurb: “An OpenSSL client will accept the use of an RSA temporary key in a non-export RSA key exchange cipher suite. A server could present a weak temporary key and downgrade the security of the session.”
Two months later, European researchers and Microsoft revealed that one third of all Web servers were vulnerable to this flaw, which they christened FREAK — factoring attack on RSA-EXPORT keys. The vulnerability might have allowed attackers to take over certain elements of Web pages by executing man-in-the-middle (MITM) attacks. Some virus protection products for Mac can scan URLs to warn users of MITM attacks, and Apple released security updates on March 10. Unfortunately, the damage might have already been done. The FREAK flaw has existed for decades.
How FREAK Happened
The vulnerability that made FREAK possible started in the 1990s, when U.S. regulations forbade businesses to export technology products that used anything stronger than 512-bit encryption. According to cryptographer and Johns Hopkins professor Matthew Green, the NSA wanted to access overseas communications, so they required export products to have encryption keys composed of no more than 512 bits.
As a result, servers in the U.S. had to support both strong ciphers and export-grade ciphers for both domestic and international users. SSL’s creators invented a cipher suite negotiation tool, which determined the strongest cipher that both strong and export-grade clients could support. Servers would use the strongest possible encryption when running the session instead of demanding strong ciphers.
For a long time, security analysts believed that modern Web browsers no longer supported export-grade RSAs. They also thought that servers no longer offered export-grade RSAs when establishing secure sessions. Unfortunately, thanks to a bug in both OpenSSL and Apple’s SecureTransport, an estimated 14 million sites that use browser-trusted certificates, including FBI.gov and WhiteHouse.gov, still support export-grade RSA.
It’s not worth it to decrypt a 512-bit key to attack one person. However, if decryption could open access to not one but many sessions, the work becomes worthwhile. As it turns out, many servers don’t generate fresh RSA keys whenever they start a new session. They use the same export-grade RSA as long as they’re in operation. Once attackers decrypted the single export-grade RSA on a server, they could hypothetically continue attacking the server as long as it used the same key.
Hypothetically, attackers could exploit FREAK to take control of encrypted sessions — during which clients provide their credit card numbers and other sensitive information — by using a MITM attack:
- Initial handshake. The client sends a “Hello” message to the server asking for a standard RSA cipher suite.
- Interception. The attacker intercepts the “Hello” and changes the request so that the client is asking for an export-grade RSA.
- Response. The server returns a 512-bit public key. Because of the OpenSSL and SecureTransport bugs, the client accepts the weaker key, which the attacker decrypts using multiple virtual servers as decryption tools.
- Infiltration. The client creates a pre-master secret for the session, which it encrypts with the server’s 512-bit public key. Because the attacker has decrypted the public key, it can now decrypt the pre-master secret to get the TLS master secret.
As if a single server recycling the same key wasn’t bad enough, researchers from the University of London discovered a cluster of 28,394 IPs using the same public key. These researchers showed that by decrypting this one weak public key, an attacker could gain access to nearly 300 multiple vulnerable hosts.
Apple released security updates for its affected Mac, iOS, and Apple TV operating systems. Additionally, Google released an updated version of Chrome for Mac; Firefox wasn’t vulnerable to FREAK. Even with the fixes, some iOS apps might still be vulnerable to FREAK, even with the Apple updates. iOS users should download the latest app updates immediately to protect themselves from FREAK.
Government agencies, including the NSA, still pressure companies to leave backdoors for spying in today’s technology. FREAK shows that these backdoors can haunt the very spooks that push for them. According to researchers, the NSA website was vulnerable to FREAK.