A security exploit known as “FREAK Attack” has seen millions of Google and Apple device users been left vulnerable to attacks for over a decade.
This particular flaw dates back to the ’90s, with hackers reportedly using old encryption modes left in certain devices, with Google and Apple currently open to potential security threats more than any other companies due to them utilizing unpatched OpenSSL.
Essentially, Apple and Google previously implemented “export-grade” encryption due to an old US government policy, which didn’t allow them to sell products overseas back in the ’90s that contained strong encryption. Back then, only a supercomputer could have successfully bypassed the export-grade encryption, but now hackers can now intercept HTTPS connections between their victims and the servers they’re using, forcing them to use the old encryption ciphers that remain on their devices.
When the user is forced to use these old encryption ciphers, any information they submit including passwords, usernames and bank information can be accessed by the attacker in a matter of hours. Though users have been left vulnerable to this attack since devices progressed beyond these dated encryption methods, researchers have only just discovered the exploit, leaving Apple, Google and a number of other tech companies to pick up the pieces.
The export-grade encryption methods can reportedly be found in both Android and Apple products, with browsers such as Safari also at risk. You can visit FreakAttack.com to see a detailed list of the sites featured in the Alexa top 10,000 that are vulnerable to the attack, which worryingly include a number of banks, including American Express and Axis, retailers, and even the NSA.
Apple is already on the case, with a spokesperson for the company saying: “We have a fix in iOS and OS X that will be available in software updates next week.”
While this isn’t as downright terrifying as many are reporting, it is still unsettling that this vulnerability has remained unchecked for such a lengthy period of time. It shouldn’t take too much effort to remove these old, useless encryption methods, though, so this issue will likely be rectified by all involved parties sooner rather than later.
Photo: Getty Images