Email encryption systems 'irreparably broken': German researchers


2018-05-15 /

The two common types of email encryption are not as secure as previously thought, German researchers have found. Both Windows and Apple users could be affected by the "Efail" problem.

 Encryption used by most email software — from Outlook and Windows Mail to Thunderbird and Apple Mail — can be intercepted by hackers who can read at least parts of the written text, announced a German-led research team.

 Academics from Münster University of Applied Sciences, along with their peers at Ruhr University Bochum and KU Leuven in Belgium, said they were able to break two types of encryption that until now were so secure that even intelligence agencies couldn’t penetrate them.

Several tests, which were overseen by reporters from German daily Süddeutsche Zeitung (SZ) as well as public broadcasters NDR and WDR, showed severe weaknesses in the S/MIME and Open PGP standards.

 During the tests, which have been quickly dubbed "Efail" by German media, the team was able to trick computers into covertly forwarding them decrypted messages.

 The researchers warned that both tools can no longer sufficiently guarantee the security of encrypted messages.

S/MIME — which is primarily used by corporations to protect the security of their emails — was described as irreparably broken.

The more open-source PGP, which stands for Pretty Good Privacy, also has serious problems that leave it vulnerable to certain attacks, the team said.

PGP is used by activists, journalists and whistleblowers, including Edward Snowden, who revealed details of pervasive electronic surveillance by US intelligence agencies before fleeing to Russia.

PGP uses an algorithm to generate a "hash," or mathematical summary, of a user's name and other information. This is then encrypted with the sender's private "key" and decrypted by the receiver using a separate public key.

To exploit the weakness, a hacker would need to have access to an email server or the mailbox of a recipient. In addition, the mails would need to be in HTML format and have active links to external content to be vulnerable.

 Germany’s Federal Office for Information Security (BSI) admitted that the findings constituted "a serious security breach."

But it said that, correctly used and configured, both forms of encryption remained secure. To prevent a breach, the BSI said that users needed to secure access to their mailboxes and prevent their email clients from loading HTML code from external websites.

The German media outlets that worked on the story said that Microsoft and Apple had been informed of the vulnerabilities.


... Researchers explain the attack behind their warning to disable email plugins for now.

Unfixed bugs in widely used email programs make it possible for attackers to obtain the plaintext of messages that are encrypted using the PGP and S/MIME standards, said researchers. The attacks assume that an attacker has possession of the encrypted emails and can trick either the original sender or one of the recipients into opening an invisible snippet of the intercepted message in a new email.

The flaws, some of which have existed for more than a decade, are part of a series of vulnerabilities dubbed Efail described by a team of European researchers. The vulnerabilities allow attackers to exfiltrate email plaintexts by embedding the previously obtained ciphertext into unviewable parts of an email and combining it with HTML coding. 

the researchers published the paper, which is titled Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels.

The most serious vulnerabilities have resided in Thunderbird, macOS Mail, and Outlook for more than 10 years and remain unfixed at the moment, the researchers said. Flaws in the way the programs handle emails with multiple body parts make it possible to embed invisible snippets of previously obtained encrypted text in new emails. By also including the Web address of an attacker-controlled server, the newly sent emails can cause the programs to send the corresponding plaintext to the server. The surreptitious exfiltration works against both the PGP and S/MIME standards.

 “If you use PGP or S/MIME for sensitive information then this is a big deal,” Matt Green, a professor specializing in encryption at Johns Hopkins University, told Ars. “It means that those emails are potentially not secure. There is a real attack that can be exploited by people that allows them to decrypt a lot of encrypted email.”

So far the researchers have been unable to develop a working exploit that works when emails are viewed as text rather than in HTML. That means a less disruptive way to mitigate the vulnerability is to disable HTML in email clients. The researchers said they believe it may be possible to ex filtrate plaintext even when HTML is disabled using several different methods. One involves attaching malicious PDF or Microsoft Word documents that ex filtrate itself when opened. Another potential method might make small changes to the plaintext to call it to leak to a server.

The researchers said they made the more drastic recommendation to temporarily disable PGP in email apps out of an abundance of caution. Even when people follow such advice, it's still possible to send and receive encrypted mail, as long as the encrypting and decrypting happens in in an application that's separate from the email client. 

The requirement that an attacker already have possession of an encrypted message is an important consideration. It means that the attacker would first have to break into an email server, take over an email account, intercept traffic as it crossed the Internet, or have access to a hard drive storing a previously sent email. The attacker would then have to get the sender or one of the receivers of the previously obtained message to open a new attacker-sent email. The new email would embed portions of the cipher text in places that often aren't displayed by Thunderbird, Mail, Outlook, and more than two-dozen other email programs. When done properly, the attack causes the corresponding plaintext of those snippets to be displayed on an attacker-controlled server.

 While the requirement that attackers have access to previously sent emails is an extremely high bar, the entire purpose of both PGP and S/MIME is to protect users against this possibility.