BlackBerry joins the FREAK show
Working on patches now
BlackBerry has joined the lengthening list of FREAKed-out vendors, publishing a list of currently-vulnerable software and promising fixes as soon as possible.
The famous FREAK is the vulnerability that OpenSSL inherited from the 1990s, because America's rules at the time meant “export-grade” encryption was limited to a maximum key length of 512 bits.
Clients needed a way to tell servers they only accepted export-grade keys – and the code that implemented this has lingered on. In FREAK, a man-in-the-middle (MITM) could tell the server the client only accepts the weaker key, capture traffic using the weak key, and decrypt it later.
In BlackBerry's advisory, it reveals that currently-vulnerable products include the BlackBerry 10 and 7.1-and-earlier OSs, various versions of its Enterprise Server, ditto BlackBerry Messenger on Windows, iOS and Android.
In the clear are:
- BlackBerry Enterprise Server 5;
- BlackBerry Universal Device Service;
- Windows Phone and Android versions of its BES12 client;
- BBM and BBM Protected on Android, version 18.104.22.168 and higher; on iOS 22.214.171.124 and higher.
While there are no workarounds for the vulnerability, the company says the complex requirements needed to stage a successful MITM attack reduces the immediate risk for clients. ®