Read My Mail, Please…

It was announced that European researchers discovered that the popular PGP and S/MIME email encryption standards are vulnerable to being hacked. Dubbed EFAIL, it is described as vulnerabilities in the end-to-end encryption technologies OpenPGP and S/MIME. From the website, EFAIL abuses active content of HTML emails to exfiltrate plaintext through requested URLs. In “Direct Exfiltration”, the victim’s stolen encrypted message is sent to the victim sandwiched between two parts of an HTML request for delivering the text back to the attacker as an image request. This leverages vulnerabilities in Apple Mail, iOS Mail, and Mozilla Thunderbird. The “CBC/CFB Gadget Attack” abuses a weakness in the Cyber Block Chaining (CBC) mode of operation used in S/MIME. If you know some of the text that is encrypted – and you do, because most encrypted messages have that phrase at the beginning, you can build a “gadget” – which is just a set of bits in a cipher stream that you can insert into the existing cipher stream with the text you want to insert. OpenPGP uses Cipher Feedback (CFB) which has similar cryptographic properties allowing the same abuse, but by embedding it in the cipher stream any standard-conforming client will be vulnerable. PGP also compresses the plaintext before encrypting it, which complicates guessing any known plaintext bytes. 

Different vendors have different CVEs for specific security issues relevant to EFAIL, but there are two CVE numbers for the CBC and CFB gadget attacks: CVE-201717688: OpenPGP CFB gadget attacks and CVE-2017-17689: S/MIME CBC gadget attacks. The researchers stated that their analysis showed that EFAIL plaintext exfiltration channels exist for 25 of the 35 tested S/MIME email clients and 10 of the 28 tested OpenPGP email clients.

Synack’s CTO and Co-Founder Mark Kuhr pointed out that independent security researcher are advising people to stop using PGP, and the media is following suit. But his opinion is that this is a terrible idea. “This is like saying ‘your lock may not work, so leave your door wide open.’” Lee Neely on the editorial board of SANS NewsBites in Volume 20 Number 38 states it best “These flaws are relatively low risk as exploiting these vulnerabilities is tricky and relies on several things.” 
Time will tell as to just how dangerous and exploitable these flaws are. Don’t read us wrong – should these flaws be addressed? Absolutely. We all need to implement mitigations (a number of which were outlined on the website), address correcting the clients, follow the CVEs and patches as available, and address the systemic fixes to PGP and S/MIME protocols. But we also need to address the underlying conflicts between usability and capability vs. security that are in our opinion at the root of this issue, and look toward making email more secure.

Sources: 