BlackBerry has joined the lengthening list of FREAKed-out vendors, publishing a list of currently-vulnerable software and promising fixes as soon as possible.
The famous FREAK is the vulnerability that OpenSSL inherited from the 1990s, because America's rules at the time meant “export-grade” encryption was limited to a maximum key length of 512 bits.
Clients needed a way to tell servers they only accepted export-grade keys – and the code that implemented this has lingered on. In FREAK, a man-in-the-middle (MITM) could tell the server the client only accepts the weaker key, capture traffic using the weak key, and decrypt it later.
In BlackBerry's advisory, it reveals that currently-vulnerable products include the BlackBerry 10 and 7.1-and-earlier OSs, various versions of its Enterprise Server, ditto BlackBerry Messenger on Windows, iOS and Android.
In the clear are:
- BlackBerry Enterprise Server 5;
- BlackBerry Universal Device Service;
- Windows Phone and Android versions of its BES12 client;
- BBM and BBM Protected on Android, version 2.7.0.6 and higher; on iOS 2.7.0.32 and higher.
While there are no workarounds for the vulnerability, the company says the complex requirements needed to stage a successful MITM attack reduces the immediate risk for clients. ®
Narrower topics
- Authentication
- Black Hat
- Common Vulnerability Scoring System
- Cybercrime
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- DDoS
- Digital certificate
- Encryption
- Exploit
- Firewall
- Hacker
- Hacking
- Identity Theft
- Infosec
- Kenna Security
- NCSC
- Palo Alto Networks
- Password
- Phishing
- Ransomware
- REvil
- Spamming
- Spyware
- Surveillance
- TLS
- Trojan
- Trusted Platform Module
- Vulnerability
- Wannacry
- Zero trust