BlackBerry is warning customers that a large portion of the company’s product portfolio is vulnerable to the FREAK SSL attack. Many versions of the BlackBerry OS and BlackBerry Enterprise Server are vulnerable to FREAK, as are a number of versions of BlackBerry Messenger.
The advisory from BlackBerry says that there are no workarounds for the attack on the company’s products. FREAK allows an attacker to take advantage of the fact that some SSL clients, including OpenSSL, will accept weak, 512-bit RSA encryption keys under some circumstances. An attacker who is able to execute a man-in-the-middle attack against a target using a weak key can then intercept the key and factor it offline. Because some servers will use the same key indefinitely, an attacker could then decrypt all of the future encrypted sessions on that server.
BlackBerry said in its advisory that it is still trying to determine the extent of the effect on its products.
“This weakness could allow an attacker who is able to intercept and modify encrypted SSL traffic to force a weaker cipher suite. This weaker cipher suite could be broken by a brute force attack within a finite time. In order to exploit this vulnerability, an attacker must first complete a successful man-in-the-middle (MitM) attack. This issue was addressed in OpenSSL 1.0.1k and a fix is available for integration into affected BlackBerry products,” the advisory says.
“Further investigation into affected products is ongoing, and BlackBerry is working to determine the full impact of the issue and confirm the best approach for protecting customers.”
The list of BlackBerry products that are considered vulnerable is extensive:
BlackBerry said that it will update the advisory as more information becomes available.