Researchers Find 600,000 Servers Use Duplicate Encryption Key

PC World is reporting that researchers, looking for servers that were susceptible to the FREAK attack, found that some manufacturers have taken a shortcut when it comes to security.

First, FREAK is an attack that allows attackers to force a encryption session between a user and a server to use a very weak 512 bit encryption key.  These keys are unsecure and can be easily hacked.  I won’t go into the details here, but you can search for FREAK attack and find lots of articles.  Manufacturers have started issuing patches for FREAK.

What the attackers did find is a lot of the servers that were susceptible to this attack used the same encryption key.   Out of 2.2 million servers that they found susceptible, 664,000 used duplicated keys.  Mathematically, this could never happen since keys are supposed to be calculated on the fly.  What appears to be happening is that some manufacturers are taking a shortcut and hard coding an encryption key into a particular piece of software or hardware.

The researchers tried to crack the keys and, on a commercial PC, it took them THREE MINUTES to break 90 of the keys.

Do you think that hackers and spies already understand this?

This is another example, like the Lenovo Superfish problem and the SOHO Router problem that I reported on last week of a software supply chain run amok.

This is also why I keep saying the SSL is fatally ill and likely not fixable.  Note that while FREAK is an SSL problem, this is a process problem and not an encryption algorithm problem

It is interesting that we are seeing all of these bugs or features discovered since the Snowden leaks.  Seems to have gotten people interested.

MItch

by