US intelligence service requests for SSL spying capabilities and NSA activities has been already causing collateral damages to US tech companies. Now the next act has been revealed: Apple and Google products are more vulnerable as they could be, due to an old US government policy that forbades the export of strong cryptographic software.
Looking back into the last millennium
Well, the 80ies was known as the time of cold war, where US government put strict export rules on many goods. On of this US government laws forbids the export of strong encryption equipment (the NSA have had their thumbs upon strong encryption equipment). During the late 90ies, this export restriction was lifted. But Apple and Google has forgotten to remove the weak encryption routines from their products. So Google’s Android Browser and Apples Safari in OS X and iOS causes a major security flaw for years, that has just been published a few days ago by security researchers.
The security flaw in SSL/TLS
Using SSL encryption under the “export-grade” in products has to be restricted to a 512 bit key. Akamai has documented this within this blog post. Twenty year ago, this 512 bit encrypted message was secure – but today it takes a day and a few cloud computers to decipher this encryption. This allows man in the middle attacks from third party monitoring the SSL/TLS traffic.
Unfortunately Apple and Google still uses the old encryption algorithms with a EXP-DES is a variant that uses a 40-bit key. So their browsers on Android devices, iOS mobile devices and OS X are pretty vulnerable. As far as I know, Microsoft’s Windows and Linux isn’t affected.
Apple has announced a patch next week that closes this vulnerability in Safari for OS X and iOS. A Google spokesman has told media, that a patch has been already provided to “partners” (Android OEMs). Further details may be obtained here, here, here and here.
And the nasty thing is?
First of all, all we know now is “just another security flaw” – maybe we will find the next major hole tomorrow or even in two weeks. Secondly: Well, Apple and Google issued patches for their weak products. But that’s only half of the truth. All iPhones, iPads and Macs with iOS or OS X out of support doesn’t receive these updates. Also Android, this nasty thing? Many OEMs has never shipped a security update. So millions of vulnerable systems will be used in future.
Just a side note: And now, marketing told us about that marvelous Internet of things (IoT). Guess this thing is “dead by design” – in my view, this IoT can’t be handled due to security and update issues. Because we have learned nearly each day about new vulnerabilities, data leaks etc. in the past, that IT thing is pretty broken – guess we are done.