US government’s weak encryption policy left phones vulnerable to hackers
05 Mar 2015
A government policy that barred the export of products with strong encryption in the 1990s has rendered devices like Android and Apple phones vulnerable to hackers when users visit one-third of all websites, including whitehouse.gov and nsa.gov.
According to researchers millions of devices and websites had been using an outdated an encryption key to secure their communications.
The weak key stemmed from a decision of Clinton administration that required software and hardware makers to use weak cryptography in products exported outside the US.
With the easing of the restrictions in the late 1990s, many technology companies moved away the weak cryptography regime.
However, according to researchers the old keys were included in the code that were still being used in a variety of modern devices and websites.
The discovery of the old vulnerability comes as officials in the US and UK push the tech industry to incorporate entry points called ''backdoors'' for law enforcement agencies into the new and hard-to-crack encryption used in its products.
However, according to industry officials, those back doors, could just as well be used by hackers to intercept communications and pose an unnecessary risk to customers.
Apple and Google, meanwhile are working to fix the decade-old security flaw that could leave millions of users of the tech titans' mobile web browsers vulnerable to hacking.
''FREAK attack'', as the newly-discovered encryption flaw had been dubbed, left users of Apple's Safari and Google's Android browsers vulnerable to hackers for over a decade, according to researchers who spoke to The Washington Post.
People using browsers could end up having their electronic communications intercepted when they visited any of hundreds of thousands of websites, including Whitehouse.gov, NSA.gov and FBI.gov.
According to researchers they had not come across any evidence of the vulnerability being exploited by hackers.
Apple told CNET that its fix would be ready for distribution next week, while Google told the Washington Post, its update would be provided to device makers and wireless carriers.
The flaw was detected last week when researchers found that they could force websites to use the intentionally weakened encryption, which they were able to break within a few hours.