BlackBerry issues security notice for OpenSSL FREAK vulnerability

BlackBerry has now officially issued a security notice for the OpenSSL vulnerability better known as "FREAK". Early reports had suggested that some BlackBerry operating systems (in addition to Android, iOS, OS X some of which have already been patched) were vulnerable to the attack which could theoretically be used to intercept what should be a secure HTTPS connection and downgrade the encryption to "export-grade", which is much easier to crack.

This weakness could allow an attacker who is able to intercept and modify encrypted SSL traffic to force a weaker cipher suite. This weaker cipher suite could be broken by a brute force attack within a finite time. In order to exploit this vulnerability, an attacker must first complete a successful man-in-the-middle (MitM) attack. This issue was addressed in OpenSSL 1.0.1k and a fix is available for integration into affected BlackBerry products. The vulnerability is detailed in CVE-2015-0204.

Further investigation into affected products is ongoing, and BlackBerry is working to determine the full impact of the issue and confirm the best approach for protecting customers. As fixes become available, this notice will be updated.

At the time the attack was discovered, it was thought that only BlackBerry OS 10.3.1.2267 was affected but in the time since the initial discovery there has been more versions of the OS and various other BlackBerry offerings found to be affected and thus, the official announcement from BlackBerry with the full list of affected and unaffected products.

When will BlackBerry fix the BlackBerry products affected by the OpenSSL vulnerability? BlackBerry notes 'we are diligently working to determine the full impact of the issue and confirm the best approach for protecting customers.' and they're 'not aware of any attacks targeting BlackBerry customers using this vulnerability'.

BlackBerry response to OpenSSL "FREAK" Vulnerability

Overview

This security notice addresses the OpenSSL "FREAK" vulnerability that was disclosed on March 3, 2015. BlackBerry® is diligently working to investigate the vulnerability and to determine how best to mitigate customer risk. Investigations are still ongoing, but confirm that BlackBerry products are impacted by this vulnerability. We will update this security notice as new information and fixes become available.

Who should read this notice?

  • BlackBerry smartphone users
  • BBM for iOS, Android, and Windows Phone users
  • BlackBerry Blend users
  • BlackBerry Link users
  • Secure Work Space for iOS and Android users
  • IT administrators who deploy BlackBerry smartphones, BES12, BES10, BES5, or Secure Work Space for iOS or Android in an enterprise

More Information

  • Have any BlackBerry customers been subject to an attack that exploits this vulnerability? - BlackBerry is not aware of any attacks targeting BlackBerry customers using this vulnerability.
  • When will BlackBerry fix the BlackBerry products affected by the OpenSSL vulnerability? - For those products that are affected, we are diligently working to determine the full impact of the issue and confirm the best approach for protecting customers.
  • When will BlackBerry provide more updates about these issues? - BlackBerry may provide further updates as needed while our ongoing investigation continues. This notice will also be updated as affected BlackBerry products are fixed.
  • Where can I read more about the security of BlackBerry products and solutions? - For more information on BlackBerry security, visit www.blackberry.com/security and www.blackberry.com/bbsirt. For more information on security features in BlackBerry 10 devices, read the BlackBerry Security Overview.

Affected Software

  • BlackBerry 10 OS (all versions)
  • BlackBerry 7.1 OS and earlier (all versions)
  • BES12 (all versions)
  • BES10 (all versions)
  • BES12 Client (iOS) (all versions)
  • Secure Work Space for BES10/BES12 (Android) (all versions)
  • Work Space Manager for BES10/BES12 (Android) (all versions)
  • Work Browser for BES10/BES12 (iOS) (all versions)
  • Work Connect for BES10/BES12 (iOS) (all versions)
  • BlackBerry Blend for BlackBerry 10, Android, iOS, Windows and Mac (all versions)
  • BlackBerry Link for Windows and Mac (all versions)
  • BBM on BlackBerry 10 and Windows Phone (all versions)
  • BBM on Android earlier than version 2.7.0.6
  • BBM on iOS earlier than version 2.7.0.32
  • BBM Protected on BlackBerry 10 and BlackBerry OS (all versions)
  • BBM Protected on Android earlier than version 2.7.0.6
  • BBM Protected on iOS earlier than version 2.7.0.32
  • BBM Meetings for BlackBerry 10, Android, iOS, and Windows Phone (all versions)

Non-Affected Software

  • BES5 (all versions)
  • BlackBerry Universal Device Service (all versions)
  • BES12 Client (Windows Phone) (all versions)
  • BES12 Client (Android) (all versions)
  • BBM on Android version 2.7.0.6 and later
  • BBM on iOS version 2.7.0.32 and later
  • BBM Protected on Android version 2.7.0.6 and later
  • BBM Protected on iOS version 2.7.0.32 and later

Are BlackBerry smartphones affected?

Yes

Vulnerability Information

BlackBerry is currently investigating the customer impact of the recently announced OpenSSL FREAK vulnerability. A list of known affected and unaffected products is supplied in this notice, and may be updated as we complete our investigation.

The OpenSSL Factoring attack on RSA-EXPORT Keys is a vulnerability in the OpenSSL implementation included with affected BlackBerry products. The popular OpenSSL cryptographic software library is open-source software used to secure client/server transactions.

This weakness could allow an attacker who is able to intercept and modify encrypted SSL traffic to force a weaker cipher suite. This weaker cipher suite could be broken by a brute force attack within a finite time. In order to exploit this vulnerability, an attacker must first complete a successful man-in-the-middle (MitM) attack. This issue was addressed in OpenSSL 1.0.1k and a fix is available for integration into affected BlackBerry products. The vulnerability is detailed in CVE-2015-0204.

Further investigation into affected products is ongoing, and BlackBerry is working to determine the full impact of the issue and confirm the best approach for protecting customers. As fixes become available, this notice will be updated.

Mitigations

Mitigations are existing conditions that a potential attacker would need to overcome to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations and general best practices.

This issue is mitigated for all customers by the prerequisite that the attacker must first complete a successful man-in-the-middle (MitM) attack in order to exploit the vulnerability. For BES12, BES10, Blend and Link, this would additionally require that the attacker compromise the intranet.

This issue is further mitigated for customers sending data that is encrypted before being sent over SSL; for example, data encrypted by S/MIME or PGP will still be protected.