About one-third of today's websites, as well as Apple and Google devices, are vulnerable to a security flaw inadvertently created by a late 1990s U.S. tech export encryption policy. It had gone undetected until new research by French scientists discovered the vulnerability called "FREAK," which stands for Factoring attack on RSA-EXPORT Keys.
Technology vendors, government agencies including the NSA and FBI, banking institutions, financial services firms and large retail sites are scrambling to close the FREAK back-door hack created when the U.S. mandated weak encryption be used in computing device and technology export products. Even though the requirement was lifted shortly after the weak encryption remained in widely used software products, which ultimately came back into use in the U.S.
"We thought of course people stopped using it," said Karthikeyan Bhargavan, one of the researchers who discovered FREAK during encryption testing at the French computer science lab INRIA.
The research team was able to trick browser software into using the old encryption and then hacked into websites in less than 10 hours. The hack opens the door to grabbing data and also driving attacks against the websites. It had been assumed the downgraded encryption was no longer in play.
"This is basically a zombie from the '90s," said Nadia Heninger, a cryptographer at the University of Pennsylvania.
Like the zombies on the popular Walking Dead show, the encryption key is active and in play and allows hackers to initiate an attack. All one needs is access to the Internet, say researchers.
Essentially, it means that the Secure-Socket Layer (SSL) "lock" icon many Internet users have come to rely on, and which has long denoted a site is "secure," isn't all that secure.
As of Tuesday, 5 million websites featuring the SSL connection lock are vulnerable.
Since the discovery, researchers have been busy alerting U.S. federal agencies and companies about the vulnerability, but it didn't become a public issue until cloud service provider Akamai posted a blog article about its efforts to close the back-door hack.
"We can't fix those clients, but we can avoid the problem by disabling export ciphers," stated Bill Brenner at Akamai. "Because this is a client side issue, we've reached out to our customers and are working with them to make this change."
For its part, Apple says it's prepping a patch that should become available next week for both devices and computers.
In the meantime, Internet users are being advised to use the Google Chrome browser as it is secured with stronger encryption technology.
Google says it is providing Android partners a patch but how many of those partners are installing the patch is unknown.
According to one report, the FREAK can infiltrate a third of all supposedly secured websites including Apple's Safari.