In recent weeks, technology researchers have discovered a decade-old security flaw, dubbed “FREAK,” that leaves Apple and Google devices and Microsoft Windows PCs vulnerable to hacking.
Attackers compromise these devices through Apple’s Safari browser and Android’s default browser when the user visits certain websites, even on mobile devices. Microsoft announced in a recent advisory note that Windows PCs are also vulnerable to the “FREAK” flaw.
Mathew Green, a cryptographer from John Hopkins University shared with MarketWatch that approximately 5.04 million websites may be at risk of this vulnerability.
The vulnerability stems from a former U.S. government policy that required U.S. software manufacturers to produce weakened encryption programs to overseas markets. The policy is no longer in affect, but the weakened encryption continues to be used by many foreign software companies.
The “FREAK” flaw allows a cybercriminal to break the secure connection between a device’s Web browser and websites and spy on their activities. Vulnerable encrypted networks include Secure Socket Layer (SSL) and Transport Layer Security (TLS) connections.
“FREAK” is especially concerning for those who use online banking, store personal or access work-related documents. If hackers obtain this information, they can use it to commit fraud or identity theft.
Apple released a security announcement explaining the impact of “FREAK” in further detail. The flaw affects iPhone models 4s and later, iPod touch (5th generation) and later, and iPad 2 and later.
What should you do?
Currently, there’s no evidence hackers have begun to exploit this weakness, but technology companies are still working diligently to find a patch.
On Monday, Apple released the following updates: iOS 8.2, Apple TV 7.1 and Mac OS X Mountain Lion, Mavericks and Yosemite, which remedy the “FREAK” flaw. Apple users should download these updates immediately and avoid using their web browser until doing so.
Google and Microsoft customers should stay vigilant for new updates and refrain from surfing the Web on unsecure browsers. Web browsers not affected by the “FREAK” flaw include Google Chrome and Mozilla Firefox.
A “FREAK” flaw Web browser test is also available for concerned individuals.