The number of servers affected by the recently disclosed FREAK bug has decreased considerably over the past couple of weeks, but researchers have determined that a large number of potential targets are vulnerable, and attacks could be much cheaper and easier to pull off than initially believed.
The FREAK (Factoring attack on RSA-EXPORT Keys) vulnerability exists because many SSL/TLS servers still support weak, export-grade RSA ciphers. An attacker who can intercept the connection can force the client to use the weak cipher and decrypt encrypted communications.
The flaw affects popular cryptographic software libraries such as OpenSSL, BoringSSL, LibReSSL, Microsoft’s Secure Channel (Schannel), and Apple’s Secure Transport. The bug has been patched in these libraries, but according to researchers at the Royal Holloway University of London, there are still over 2 million vulnerable servers.
On March 3, when the vulnerability was disclosed, experts noted that 26% of all HTTPS servers were vulnerable. Last week, Royal Holloway researchers conducted a scan using a modified version of the zmap tool to determine how many servers still support export-grade ciphersuites. Of the 22,730,626 hosts they scanned, 2,215,504 offered export-grade 512-bit RSA keys, which represents 9.7% of the total.
As cryptography experts noted after the FREAK flaw was uncovered, an attacker can normally recover the private key needed to decrypt communications in roughly 7.5 hours using Amazon’s EC2 service and it would cost them $104.
However, researchers have now determined that an attack can be much cheaper and less time-consuming because many of the identified keys are duplicates.
“We observed 664,336 duplicate moduli in the set of 2,215,504 512-bit moduli obtained from our scanning. One single modulus was found 28,394 times, two further moduli arose more than 1,000 times each and a total of 1,176 moduli were seen 100 times or more each,” researchers explained in their paper.
Apparently, the key that shows up over 28,000 times corresponds to a router with an SSL VPN module. An attacker can crack the key for $100 and then use it to target all of the affected devices, which would result in a cost of only 0.3 cents per host.
As for the remaining 1,551,168 unique 512-bit RSA keys, researchers managed to factor 90 of them, corresponding to close to 300 hosts, in just 167 seconds on eight 3.3Ghz Xeon cores by using a program developed in 2012.
“The computation took less than 3 minutes on an 8-core system, saving the $9,000 that a cloud computation would have cost if each modulus had been attacked directly. We consider this to be a good return on investment for a Friday afternoon’s work,” researchers said.