Not less than 2000 applications for mobile devices with iOS and Android allow cyberhawks steal user information. Research report published by FireEye, which is responsible for cybersecurity.
March 3, researchers discovered a vulnerability called Freak (Factoring Attack on RSA-EXPORT Keys) in the cryptographic package OpenSSL, designed to work with protocols SSL / TLS (Secure Sockets Layer / Transport Security Layer). For over 10 years, attackers can take advantage of a bug, which is a weaker version of a cryptographic protocol.
Freak purposefully created in the 90s by American software manufacturers that supply their products abroad. Thanks to her, you can force the application to use 512-bit encryption keys used now instead of a 2048-bit. As a result of these keys can be hacked by running special software to public cloud services. In fact, criminals can remotely control gadgets victims.
Apple and Google have released an update covering the vulnerability of its mobile operating system, but also requires an update individual applications. The company FireEye analyzed App Store and found that of the 14,079 names considered vulnerability is present in the 771. As for Google Play, some of the programs reviewed were vulnerable to 1228. Of these, 664 are using the standard library OpenSSL, others - its own version.
According to the study, most of the attacks exposed the application associated with the use of bank cards, office and medical programs. Unfortunately, for OpenSSL is not the first large-scale vulnerability found in the last year: she had to Heartbleed and POODLE.
Experts explain the fact of the existence of undetected Freak for more than 10 years simply: "It had not previously thought". "As the power end workstations greatly increased in the last ten years, and also appeared cloud services data processing, it made specialists pay attention to the possibility of decoding data", - explained in the "Kaspersky Lab". Experts advise developers as soon as possible to release a corresponding update to its software in connection with the seriousness of the breach.