14 DAY TRIAL // A large number of BlackBerry products are currently vulnerable to the FREAK (Factoring RSA Export Keys) attack revealed earlier this month and the company is yet to produce a patch for the security flaw.
FREAK is an attack that allows forcing a downgrade of the SSL/TLS encryption key to a weaker variant (RSA 512-bit) that can be easily cracked with today’s technology in about seven hours.
Multiple BlackBerry products wait for a fix
The attacker would have to be able to intercept the secure connection between a client and a server and relies on an old specification from 1990 that required export-grade encryption to be implemented in software and hardware products exported from the US.
Different implementations of the SSL/TLS protocols were found to be affected, including OpenSSL, which is present in BlackBerry products. A patched version of OpenSSL is available for integration.
On Thursday, BlackBerry announced that much of its software was impacted by the glitch, also informing that no workarounds exist to mitigate the risk.
The list of products vulnerable to a FREAK attack includes the operating system, BlackBerry Enterprise Server, Secure Work Space, Work Browser, Work Connect, BlackBerry Blend, all versions of BBM on BlackBerry 10 and Windows Phone, as well as builds earlier than 2.7.0.6 for Android and 2.7.0.32 for iOS.
The vendor informed in the advisory that its team is “diligently working to determine the full impact of the issue and confirm the best approach for protecting customers.”
Some companies pushed the patches
Microsoft’s Secure Channel and Apple’s Secure Transport were also impacted by the vulnerability, but the companies took the necessary steps to keep their customers out of harm’s way.
Microsoft removed the risk this week, via its monthly update session known as Patch Tuesday. Apple took corrective action on Sunday, releasing security updates for both its desktop and mobile platform.
Chrome for Android and the stock browser on Google's mobile operating system have not been patched.