Smartphone provider BlackBerry has admitted over one week after it was first discovered that the majority of its software and devices are affected by the FREAK vulnerability.
The Canadian firm said in an advisory late last week that the much-hyped flaw has impacted all versions of the BlackBerry 10 OS, all versions of BlackBerry 7.1 and earlier, all versions of BES10 and BES12 and various versions of BBM on Android and iOS.
That amounts to most of the software produced by the encrypted messaging specialist, although BES5, the BES12 client on Windows Phone and Android, and several versions of BBM are among the few exceptions.
BlackBerry said it was “diligently working to determine the full impact of the issue and confirm the best approach for protecting customers,” but warned it may need to update the list of affected products in due course.
FREAK (Factoring RSA Export Keys) was announced to the world around a fortnight ago.
If attackers have access to the traffic flowing between an affected client and server, they could inject code forcing both sides to use weak 512-bit crypto which can be easily cracked in a matter of hours.
The attackers could then theoretically steal passwords and other personal info and launch additional attacks against the targeted site.
Original reports claimed the man-in-the-middle flaw affected 36% of all sites trusted by browsers and around 10% of the Alexa top one million domains.
Soon after, Microsoft was forced to admit that FREAK affected all versions of Windows.
Apple, Google and Redmond have all released patches to deal with the issue.
In its defense, BlackBerry claimed that hackers would have to overcome several hurdles to carry out an attack:
“This issue is mitigated for all customers by the prerequisite that the attacker must first complete a successful man-in-the-middle (MitM) attack in order to exploit the vulnerability. For BES12, BES10, Blend and Link, this would additionally require that the attacker compromise the intranet.
This issue is further mitigated for customers sending data that is encrypted before being sent over SSL; for example, data encrypted by S/MIME or PGP will still be protected.”
Charles Sweeney, CEO of web filtering company Bloxx, agreed that an attack would have to be “long and complex” to render any affected devices vulnerable.
“Yet, arguably this is not the point,” he told Infosecurity.
“The fact that there is any potential for a user's device to be hacked should have warranted swift communication from BlackBerry, especially as their devices are used largely in businesses and as a result will be home to confidential information."