BlackBerry joins the FREAK show

Working on patches now

BlackBerry has joined the lengthening list of FREAKed-out vendors, publishing a list of currently-vulnerable software and promising fixes as soon as possible.

The famous FREAK is the vulnerability that OpenSSL inherited from the 1990s, because America's rules at the time meant “export-grade” encryption was limited to a maximum key length of 512 bits.

Clients needed a way to tell servers they only accepted export-grade keys – and the code that implemented this has lingered on. In FREAK, a man-in-the-middle (MITM) could tell the server the client only accepts the weaker key, capture traffic using the weak key, and decrypt it later.

In BlackBerry's advisory, it reveals that currently-vulnerable products include the BlackBerry 10 and 7.1-and-earlier OSs, various versions of its Enterprise Server, ditto BlackBerry Messenger on Windows, iOS and Android.

In the clear are:

  • BlackBerry Enterprise Server 5;
  • BlackBerry Universal Device Service;
  • Windows Phone and Android versions of its BES12 client;
  • BBM and BBM Protected on Android, version 2.7.0.6 and higher; on iOS 2.7.0.32 and higher.

While there are no workarounds for the vulnerability, the company says the complex requirements needed to stage a successful MITM attack reduces the immediate risk for clients. ®

Sponsored: Minds Mastering Machines - Call for papers now open


Biting the hand that feeds IT © 1998–2018