There's more bad news surrounding the HTTPS-crippling FREAK vulnerability that came to light two weeks ago. A recently completed scan of the Internet revealed 10 percent of servers that support the underlying transport layer security protocol remain susceptible. Even worse, many of these laggards contain an additional weakness that drastically drives down exploitation costs, in the most extreme cases to just pennies per server.
As Ars reported almost two weeks ago, so-called FREAK attacks—short for Factoring attack on RSA-EXPORT Keys—are possible when an end user with a vulnerable device connects to an HTTPS-protected website configured to use a weak, 512-bit encryption key. Previously, it took about seven hours and $100 in cloud-computing fees to break such a key. The attack worked by painstakingly analyzing the 512-bit modulus of a vulnerable RSA key pair to discover the two underlying prime numbers that produced it. Attackers had to factor the key of each vulnerable website they wanted to exploit. The work and cost required made it hard to exploit the weakness in mass numbers. Meanwhile, the number of servers that stopped using weak 512-bit keys in the days following the FREAK disclosure acted as a further disincentive for would-be attackers.
Now comes word of an easier, less costly exploit. An Internet scan carried out one week after FREAK came to light has turned up evidence suggesting the weakness may not be so difficult to exploit after all. Of the 22.7 million servers found to support TLS encryption, 2.2 million—or 9.7 percent of them—continued to offer the export-grade 512-bit keys. More troubling still, the team of researchers from Royal Holloway University of London found large clusters of repeated moduli inside the keys' mathematical DNA. In the most extreme case, a single 512-bit modulus appeared 28,394 times in the survey, meaning there were that many servers using precisely the same underlying prime numbers that, when multiplied together, produced the common modulus. Spending $100 and seven hours, then, would allow attackers to spoof as many as 28,394 sites or devices or to decrypt their TLS-protected traffic. That breaks down to about three cents per server or device.