Apple and Google users being spied on for a decade because of 'Freak' security flaw
Flaw has been around since late 1990s, and companies are scrambling to fix it
Your support helps us to tell the story
From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.
At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.
The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.
Your support makes all the difference.A huge security flaw in Apple and Google devices leaves phone and computer users vulnerable to hacking when they go to supposedly secure websites, according to researchers.
Those using most major computing devices could be listened in on when they go to websites, allowing them to steal passwords and other information.
The flaw seems to have come from an old US government policy that didn’t allow companies to export products with “export-grade” encryption, according to researchers, which meant computers and software sold outside of the US had weak security.
Though that rule was lifted in the late 1990s, the weak security had already been built into many computers and so continued to allow hackers and other people to gain access to computers.
Hackers were able to exploit the way computers connect to secure sites. Internet browsers exchange “keys” with sites so that they can be identified. But those keys must be encrypted, or hackers can crack them and intercept communications.
More than one-third of secure websites were vulnerable to the attack according to tests. There is no way of knowing how much it has been exploited.
Companies running secure and sensitive websites have mostly corrected the problems, according to researchers, though the NSA’s website remains insecure.
Apple is preparing a fix for the problem for the Safari browser on its computers and phones. Though Google Chrome is not vulnerable, the browser that comes bundled with Android is — though Google has developed a patch to fix it, it will be up to manufacturers when to push that out to users’ phones.
Researchers have named the flaw “Freak”, which stands for Factoring Attack on RSA-Export keys.
Most experts thought that the technology behind it had fallen out of use. But the US restrictions, which were put in place as part of the “Crypto Wars” of the 1990s, meant that it continued to live on.
The problem arose because the systems continue to use 512-bit encryption — as opposed to the 1024-bit codes that are used now — which has for years been considered far too weak to use. One encryption expert said that the technology was “basically a zombie from the ‘90s”.
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies
Comments