FREAK bug and older IOS Devices?

Hello,

We have a large number of deployed iPhones that connect to our exchange server. Many of those phones are still iPhone 4 and Apple is no longer pushing out security updates to them. That means I have no way to patch the FREAK vulnerability on these devices.

My main concern is not with regular HTTPS sites as our users shouldn't be doing any of that on their phones anyway. My concern is the connection to our exchange server which does use HTTPS.

Is there any way to fix this server side? I'm assuming the answer is likely no since an attacker could force the user to use the weaker encryption without the server knowing about it. Is that a correct assumption on my part?

We already rolled out the group policy updates recommended by Microsoft last week and patched the server last night. But can an attacker still exploit this flaw and mount a man-in-the-middle attack on these IOS devices?

Thanks
Pawel_KowalskiAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rich RumbleSecurity SamuraiCommented:
FREAK is a hard to pull off exploit, as are many man-in-the-middle exploits.
https://technet.microsoft.com/library/security/MS15-031#ID0EONAE
https://support.microsoft.com/kb/3046049/de
That should help you mitigate in the off chance someone targets you.
The attacker has to downgrade both sides.
-rich
Pawel_KowalskiAuthor Commented:
But that is for the server end and any clients connected to the domain, the iPhones will still accept the weaker 512-bit key, correct? So a man-in-the-middle attack would expose a 512-bit key to the iPhone and the stronger key to the server, correct?
Rich RumbleSecurity SamuraiCommented:
http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html That would be possible, in a man-in-the-middle exploit, again it's not a easy attack on many levels. It took the researchers 7.5 hours to factor one 512 key using $104 worth of EC2 time. Unless you have some major secrets, your likelihood is going to be wayyyyyyy down... this attack is like picking 4 locks on a front door... you can probably do another attack with far less effort (brick+window) and get in that way much easier.
-rich

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Pawel_KowalskiAuthor Commented:
I understand that but we do have sensitive data that hackers would love to get their hands on. If the iPhones get targeted they will get the user's name and password. Which will give them VPN access to our server and all the information that user has access to. I know I sound paranoid but $104 on EC2 isn't that much. And as I understand they can collect the data at a public hot spot and do the analysis later.

Thanks for the info. We have decided to simply update the old iPhones 4.
Rich RumbleSecurity SamuraiCommented:
There probably is nothing more you can do from what I see, and the attack (as they always do) improved over the past week. http://arstechnica.com/security/2015/03/https-crippling-freak-exploit-hits-thousands-of-android-and-ios-apps/
Short of Apple patching this on older iOS's, which does not help their bottom line as much as upgrades do... you'll have to upgrade.
Please also note, that a risk assessment may be good for your organization to help prioritize security and IT budgeting. Assuming the user/pass is compromised, you should have some additional controls if possible.  Two-factor is becoming a highly sought after and implemented mechanism for VPN's and webmail access. Have a look at my article here and see why your security can't stop there! http://www.experts-exchange.com/Security/Misc/A_12368-Two-Factor-Authentication-Added-layers-are-not-always-added-security.html

Also remember with this FREAK attack, an attacker does have to be in the middle, so a rouge wifi or ISP would have to probably be targeting someone, just sayin... and kudos to you for not letting that deter your goal of prevention nonetheless.
-rich
Rich RumbleSecurity SamuraiCommented:
https://www.ssllabs.com/ssltest/analyze.html seems work accurately.
-rich
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.