Embattled handheld maker BlackBerry is the latest firm to warn users that its products are vulnerable to Open SSL/TLS Freak attacks. BlackBerry itself confirms that a large number of the firm's device operating systems and the BlackBerry Messenger service are affected by the flaw.
BlackBerry's recent improvement in technology markets has been in part down to the success of the firm's BlackBerry Enterprise Server (BES) middleware intelligence software. This product is also affected, although an attacker would have to compromise a user or team's intranet to launch an attack.
The OpenSSL factoring attack on RSA-EXPORT Keys is a vulnerability in the OpenSSL implementation included with affected BlackBerry products.
The Freak bug surfaced in March 2015 and affects the HTTPS security protocol used widely across the web for locking down pages such as online banking and ecommerce. The weaknesses exploited by Freak can lead to so-called man-in-the-middle (MitM) attacks where attackers become capable of listening into the network traffic data being exchanged between a user and a destination web server.
Microsoft has previously admitted that “all supported versions of Windows” have been affected by the Freak bug, Windows updates have subsequently been released to address the problem. Android and Apple devices were similarly affected, patches and fixes have also subsequently been released.
BlackBerry: we are working diligently
BlackBerry has pledged to “work diligently” to investigate the vulnerability and to determine how best to mitigate risks to users. The firm's initial statement has confirmed that investigations were still ongoing, but that this research does indeed “confirm that BlackBerry products are impacted” by this vulnerability.
The firm points out that an attacker must first complete a successful man-in-the-middle attack in order to exploit the vulnerability.
The firm itself has released an advisory that said, “This weakness could allow an attacker who is able to intercept and modify encrypted SSL traffic to force a weaker cipher suite. This weaker cipher suite could be broken by a brute force attack within a finite time. In order to exploit this vulnerability, an attacker must first complete a successful man-in-the-middle attack. This issue was addressed in OpenSSL 1.0.1k and a fix is available for integration into affected BlackBerry products.”
Slow cooked BlackBerry
“As fixes become available, this notice will be updated,” reads. The firm has been goaded across media sources for lagging, being slow and delaying its general response to this situation.
“This ongoing issue is certainly not just unique to Blackberry, there are other vendors out there in the same identical position especially in the embedded community affecting an even more widespread customer base with even more sensitive needs. Red Hat released fixes in January and this was fixed in OpenSSL in January this year (CVE-2015-0204) and relevant sources made available for vendors to use as a basis to get patches out,” said Richard Morrell, principal security architect at Red Hat in the firm's Cloud Strategy team, former CLAS, MoD and UK Government security advisor and co-founder of the SmoothWall protection and firewalling platform.
Speaking to SCMagazineUK.com UK, Morrell continued, “Mission critical vendors are always in a race to get patches pushed to mitigate against zero day exploits. However, this takes on a new dimension where authentication credential theft can and will lead to loss of data and potential reputation. To aid those companies still racing to get a fix together we've made available the following resource to give them a head start: https://securityblog.redhat.com/2015/03/04/factoring-rsa-export-keys-freak-cve-2015-0204/.”
SC spoke directly to Julie Paillard, BlackBerry EMEA corporate communications director for additional clarification. “While investigations are ongoing, BlackBerry is taking appropriate actions to protect our customers from the industry OpenSSL vulnerability called “FREAK.” BlackBerry is working on updates for impacted products and we are unaware of any attacks against customers,” said Paillard.
She continued, “It's important to note that to exploit the Freak vulnerability on a BlackBerry platform, an attacker would also have to execute a man-in-the-middle-attack, as well as compromise a customer's intranet to execute this attack on BES12, BES10, BlackBerry Blend or BlackBerry Link.”
A list of affected BlackBerry software is shown below:
- BlackBerry 10 OS (all versions)
- BlackBerry 7.1 OS and earlier (all versions)
- BES12 (all versions)
- BES10 (all versions)
- BES12 Client (iOS) (all versions)
- Secure Work Space for BES10/BES12 (Android) (all versions)
- Work Space Manager for BES10/BES12 (Android) (all versions)
- Work Browser for BES10/BES12 (iOS) (all versions)
- Work Connect for BES10/BES12 (iOS) (all versions)
- BlackBerry Blend for BlackBerry 10, Android, iOS, Windows and Mac (all versions)
- BlackBerry Link for Windows and Mac (all versions)
- BBM on BlackBerry 10 and Windows Phone (all versions)
- BBM on Android earlier than version 126.96.36.199
- BBM on iOS earlier than version 188.8.131.52
- BBM Protected on BlackBerry 10 and BlackBerry OS (all versions)
- BBM Protected on Android earlier than version 184.108.40.206
- BBM Protected on iOS earlier than version 220.127.116.11
- BBM Meetings for BlackBerry 10, Android, iOS, and Windows Phone (all versions)