According to researchers, a massive security flaw that is found in both Apple and Google devices leaves smartphone and computer users vulnerable and wide open to a hacking attack when they go to an allegedly ‘secure’ website. The hacker would essentially be able to steal passwords and other information from the user. Researchers say this flaw appears to have arisen from an old US government policy which did not allow companies to export products with “export-grade” encryption, which meant both software and computers that were sold outside of the US had feeble security. Security researchers have named the flaw “Freak”, which stands for Factoring Attack on RSA-Export keys.
According to tests, more than one-third of secure websites were vulnerable to the attack. There is no way of knowing how much it has been exploited. Internet browsers exchange “keys” with sites so that they can be identified, but those keys need to be encrypted, or else a hacker can crack them and then intercept communications.
Firms that are running secure and sensitive websites have largely corrected the issue, although the NSA’s website remains insecure.
It is understood that Apple are preparing a fix for the flaw for the Safari browser on their computers and smartphones and although Google Chrome is not vulnerable, a browser that comes bundled with Android is.
Google have developed a patch to fix the flaw although it will be up to manufacturers when to push that out to users’ devices. Experts in the field had initially thought that the technology behind the flaw had largely ceased to be used, but the US restrictions that were put in place as part of the ‘Crypto Wars’ back in the 1990s, meant that it continued to be an issue. The issue came about because the systems involved continue to use 512-bit encryption, not the 1024-bit encryption codes which are now used.
According to the Washington Post, which first reported the security flaw, the discovery should be a warning to governments about the dangers of asking technology companies to install ‘back doors’ in software to enable them to have access. Government officials, including UK Prime Minister David Cameron, have called for encrypted software to be banned or failing that, weakened, to allow Government authorities access to users communications in the wake of terrorist attacks