FREAK: How the US Government Caused Widespread Online Security Danger

IT-security-320x181300Computer researchers recently discovered a major flaw in online security that could currently be making many smartphones and computers vulnerable to attack. The flaw is a direct result of US government policy.

The FREAK (Factoring RSA Export Keys) flaw originates in weak encryption in links between browsers and certain websites. Specific, supposedly secure websites – including US government portals and banks’ websites – were found to be vulnerable due to browsers being able to be forced to use weak encryption whose codes could be cracked easily.

Craig Timberg of the Washington Post explains, “For vulnerable sites, [cryptography expert Nadia] Heninger found that she could crack the export-grade encryption key in about seven hours, using computers on Amazon Web services. This would allow hackers to conduct what experts call a ‘man-in-the-middle’ attack to make seemingly encrypted traffic easy to read. Such attacks can be launched by anybody who has access to Internet traffic, including governments, Internet providers and coffee shops or airports that offer Wi-Fi hotspots.”

All of the websites affected by the flaw suffered as a result of US government policy: the government encouraged the use of weaker encryption in products that US programmers were exporting to other countries in the 1990s. The idea was to give the US an advantage in online security. These practices didn’t last long, but the weaker encryption involved got embedded into popular software that made its way across the globe and back into US servers.

Security researchers found that web browsers could be forced into using weaker encryptions and then crack their codes within hours. Once cracked, hackers could potentially steal information including passwords and take control of a website’s various elements, including buttons and links.

The flaw and the policy behind it points to a troublesome double standard in US government stance on online security. On the one hand, it decries hackers’ attacks on US businesses and individuals, yet demands that tech companies provide it with permanent “backdoors” into secure websites for the surveillance purposes of law enforcement and intelligence agencies. This irony of the situation leaves many US citizens at a disadvantage, unknowingly carrying smartphones with weak encryption.

The even worse news is that most Android operating systems don’t receive updates from carriers, so the flaw will go untreated in many cases. IOS operating systems should fare better.

The public will likely try to exert pressure on government agencies like the NSA, recently embroiled in scandal, to stop the dangerous practices that actually hurt online security – a subject of growing public concern.

Simple online web searches can provide you with information that can help you determine whether your phone is affected by the FREAK flaw.