BlackBerry is warning customers that a large portion of the company’s product portfolio is vulnerable to the FREAK SSL attack. Many versions of the BlackBerry OS and BlackBerry Enterprise Server are vulnerable to FREAK, as are a number of versions of BlackBerry Messenger.
The advisory from BlackBerry says that there are no workarounds for the attack on the company’s products. FREAK allows an attacker to take advantage of the fact that some SSL clients, including OpenSSL, will accept weak, 512-bit RSA encryption keys under some circumstances. An attacker who is able to execute a man-in-the-middle attack against a target using a weak key can then intercept the key and factor it offline. Because some servers will use the same key indefinitely, an attacker could then decrypt all of the future encrypted sessions on that server.
BlackBerry said in its advisory that it is still trying to determine the extent of the effect on its products.
“This weakness could allow an attacker who is able to intercept and modify encrypted SSL traffic to force a weaker cipher suite. This weaker cipher suite could be broken by a brute force attack within a finite time. In order to exploit this vulnerability, an attacker must first complete a successful man-in-the-middle (MitM) attack. This issue was addressed in OpenSSL 1.0.1k and a fix is available for integration into affected BlackBerry products,” the advisory says.
“Further investigation into affected products is ongoing, and BlackBerry is working to determine the full impact of the issue and confirm the best approach for protecting customers.”
The list of BlackBerry products that are considered vulnerable is extensive:
- BlackBerry 10 OS (all versions)
- BlackBerry 7.1 OS and earlier (all versions)
- BES12 (all versions)
- BES10 (all versions)
- BES12 Client (iOS) (all versions)
- Secure Work Space for BES10/BES12 (Android) (all versions)
- Work Space Manager for BES10/BES12 (Android) (all versions)
- Work Browser for BES10/BES12 (iOS) (all versions)
- Work Connect for BES10/BES12 (iOS) (all versions)
- BlackBerry Blend for BlackBerry 10, Android, iOS, Windows and Mac (all versions)
- BlackBerry Link for Windows and Mac (all versions)
- BBM on BlackBerry 10 and Windows Phone (all versions)
- BBM on Android earlier than version 2.7.0.6
- BBM on iOS earlier than version 2.7.0.32
- BBM Protected on BlackBerry 10 and BlackBerry OS (all versions)
- BBM Protected on Android earlier than version 2.7.0.6
- BBM Protected on iOS earlier than version 2.7.0.32
- BBM Meetings for BlackBerry 10, Android, iOS, and Windows Phone (all versions)
BlackBerry said that it will update the advisory as more information becomes available.