BlackBerry begins slow rollout for FREAK security flaw, most devices still at risk
BlackBerry has issued a warning to users that most of its devices and encrypted messaging services are vulnerable to a serious security vulnerability.
The Ontario, Canada-based phone maker said in an advisory, almost two weeks after the flaw was first discovered, that it does not have a fix in place for for most of its impacted devices.
A spokesperson for the company confirmed that it issued a patch for Z30 devices running the latest 10.3.1 update.
"We will continue the patches for other products impacted," the spokesperson said.
The FREAK flaw is a weakness in modern Web cryptography, which allows an attacker to potentially intercept encrypted traffic between a vulnerable client and server and force them into using weaker encryption that can be easily cracked. But despite knowing about the problem since the beginning of the month, the company said there are no current workarounds to prevent device data from being intercepted.
All versions of newer BlackBerry 10 devices, older BlackBerry 7.1 devices, and BlackBerry Enterprise Service 12 and earlier are affected by the flaw -- essentially almost every product the company currently has on the market.
BlackBerry Messenger on Android, iPhones and iPads, and Windows Phone are also affected by the vulnerability.
"Further investigation into affected products is ongoing, and BlackBerry is working to determine the full impact of the issue and confirm the best approach for protecting customers," the advisory warns.
"As fixes become available, this notice will be updated," it read.
Every version of Windows is affected. Apple devices, including Macs, iPhones, and iPads (which are now patchable are also hit by the bug, along with Google's Android operating system. Dozens of other device makers, including Cisco, are introducing patches and fixes for the bug.
BlackBerry devices have long been seen as the industry standard for encrypted messaging. US President Barack Obama has during his two terms held onto his trusty phone, despite warnings from the Secret Service to use a hardened, custom device.
The saving grace is that the back-end system, run by BlackBerry Enterprise Service, would require an attacker to compromise the user's intranet. It also said that devices encrypting content before being sent over SSL, such as PGP or S/MIME, will "still be protected."
Updated on March 14: with comments from BlackBerry spokesperson.