PGP and Efail Vulnerabilty exposing encrypted Emails via PGP/GPG and S/mine

in new •  6 months ago


If you use PGP or S/MIME for email encryption you should immediately disable it in your email client. Researchers have discovered a critical vulnerability they’re calling EFAIL that exposes the encrypted emails in plaintext, even for messages sent in the past.

THE UBIQUITOUS EMAIL encryption schemes PGP and S/MIME are vulnerable to attack, according to a group of German and Belgian researchers who posted their findings on Monday. The weakness could allow a hacker to expose plaintext versions of encrypted messages—a nightmare scenario for users who rely on encrypted email to protect their privacy, security, and safety.

Digital security trainers, whistleblowers, journalists, activists, cryptographers, industry, and nonprofit organizations have relied on PGP for 27 years as a way to protect email communications from eavesdroppers and ensure the authenticity of messages. If you’re like us, you likely have recommended PGP as an end-to-end encrypted email solution in workshops, trainings, guides, cryptoparties, and keysigning parties. It can be hard to imagine a workflow without PGP once you’ve taken the time to learn it and incorporate it in your communications.

Digital security trainers, whistleblowers, journalists, activists, cryptographers, industry, and nonprofit organizations have relied on PGP for 27 years as a way to protect email communications from eavesdroppers and ensure the authenticity of messages. If you’re like us, you likely have recommended PGP as an end-to-end encrypted email solution in workshops, trainings, guides, cryptoparties, and keysigning parties. It can be hard to imagine a workflow without PGP once you’ve taken the time to learn it and incorporate it in your communications.

Links
https://efail.de/
https://gizmodo.com/email-no-longer-a-secure-method-of-communication-after-1826002682
https://www.wired.com/story/efail-encrypted-email-flaw-pgp-smime/
https://lifehacker.com/how-to-secure-your-email-now-that-pgp-is-compromised-1826008338
https://www.pcmag.com/news/361179/email-encryption-with-pgp-may-have-a-serious-flaw
https://www.technadu.com/s-mime-and-pgp-email-encryption-flaws-affecting-millions-discovered-by-eff/28800/
https://gizmodo.com/securedrop-safe-from-the-new-pgp-attack-so-please-cont-1826016199
https://www.androidcentral.com/efail

White Paper
https://efail.de/efail-attack-paper.pdf

Website Outline Copied and Pasted below
https://efail.de/

EFAIL describes vulnerabilities in the end-to-end encryption technologies OpenPGP and S/MIME that leak the plaintext of encrypted emails.

Email is a plaintext communication medium whose communication paths are partly protected by TLS (TLS). For people in hostile environments (journalists, political activists, whistleblowers, ...) who depend on the confidentiality of digital communication, this may not be enough. Powerful attackers such as nation state agencies are known to eavesdrop on email communications of a large number of people. To address this, OpenPGP offers end-to-end encryption specifically for sensitive communication in view of these powerful attackers. S/MIME is an alternative standard for email end-to-end encryption that is typically used to secure corporate email communication.

The EFAIL attacks exploit vulnerabilities in the OpenPGP and S/MIME standards to reveal the plaintext of encrypted emails. In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs. To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago.

The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim's email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker.

Direct Exfiltration

There are two different flavors of EFAIL attacks. First, the direct exfiltration attack abuses vulnerabilities in Apple Mail, iOS Mail and Mozilla Thunderbird to directly exfiltrate the plaintext of encrypted emails. These vulnerabilities can be fixed in the respective email clients. The attack works like this. The attacker creates a new multipart email with three body parts as shown below. The first is an HTML body part essentially containing an HTML image tag. Note that the src attribute of that image tag is opened with quotes but not closed. The second body part contains the PGP or S/MIME ciphertext. The third is an HTML body part again that closes the src attribute of the first body part.

The attacker now sends this email to the victim. The victim's client decrypts the encrypted second body part and stitches the three body parts together in one HTML email as shown below. Note that the src attribute of the image tag in line 1 is closed in line 4, so the URL spans over all four lines.

The email client then URL encodes all non-printable characters (e.g., %20 is a whitespace) and requests an image from that URL. As the path of the URL contains the plaintext of the encrypted email, the victim's email client sends the plaintext to the attacker.

The direct exfiltration EFAIL attacks work for encrypted PGP as well as S/MIME emails.

The CBC/CFB Gadget Attack
Second, we describe the novel CBC/CFB gadget attacks which abuse vulnerabilities in the specification of OpenPGP and S/MIME to exfiltrate the plaintext. The diagram below describes the idea of CBC gadgets in S/MIME. Because of the specifics of the CBC mode of operation, an attacker can precisely modify plaintext blocks if she knows the plaintext. S/MIME encrypted emails usually start with "Content-type: multipart/signed" so the attacker knows at least one full block of plaintext as shown in (a). She can then form a canonical plaintext block whose content is all zeros as shown in (b). We call the block pair X and C0 a CBC gadget. In step (c), she then repeatedly appends CBC gadgets to inject an image tag into the encrypted plaintext. This creates a single encrypted body part that exfiltrates its own plaintext when the user opens the attacker email. OpenPGP uses the CFB mode of operation, which has the same cryptographic properties as CBC and allows the same attack using CFB gadgets.

The difference here is that any standard-conforming client will be vulnerable and that each vendor may cook their own mitigations that may or may not prevent the attacks. Thus, in the long term, it is necessary to update the specification to find and document changes that fix the underlying root causes of the vulnerabilities.

While the CBC/CFB gadget attacks on PGP and S/MIME are technically very similar, the requirements for a successful attack differ substantially. Attacking S/MIME is straightforward and an attacker can break multiple (in our tests up to 500) S/MIME encrypted emails by sending a single crafted S/MIME email to the victim. Given the current state of our research, the CFB gadget attack against PGP only has a success rate of approximately one in three attempts. The reason is that PGP compresses the plaintext before encrypting it, which complicates guessing known plaintext bytes. We feel that this is not a fundamental limitation of the EFAIL attacks but more a technical hitch and that attacks become more efficient in future research.

Mitigations
Here are some strategies to prevent EFAIL attacks:

Short term: No decryption in email client. The best way to prevent EFAIL attacks is to only decrypt S/MIME or PGP emails in a separate application outside of your email client. Start by removing your S/MIME and PGP private keys from your email client, then decrypt incoming encrypted emails by copy&pasting the ciphertext into a separate application that does the decryption for you. That way, the email clients cannot open exfiltration channels. This is currently the safest option with the downside that the process gets more involved.

Short term: Disable HTML rendering. The EFAIL attacks abuse active content, mostly in the form of HTML images, styles, etc. Disabling the presentation of incoming HTML emails in your email client will close the most prominent way of attacking EFAIL. Note that there are other possible backchannels in email clients which are not related to HTML but these are more difficult to exploit.

Medium term: Patching. Some vendors will publish patches that either fix the EFAIL vulnerabilities or make them much harder to exploit.

Long term: Update OpenPGP and S/MIME standards. The EFAIL attacks exploit flaws and undefined behavior in the MIME, S/MIME, and OpenPGP standards. Therefore, the standards need to be updated, which will take some time.

Full technical paper
Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels [v0.9 Draft] [PDF]
Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, and Jörg Schwenk.
27th USENIX Security Symposium, Baltimore, August 2018.

The team can be contacted at mail@efail.de.

Questions and Answers
What is PGP and S/MIME encryption?
What are the EFAIL attacks?
Are there CVEs for EFAIL?
Who is affected?
Can you read my emails?
But my emails are TLS encrypted!
Is my email client affected?
Can I find out whether I have already been attacked?
I don't send HTML emails. Am I safe?
I have disabled HTML in my email client. Am I safe?
Will signatures prevent these attacks?
Can you decrypt my own encrypted emails when I lost my private key?
Do I need to revoke my certificate or public key?
I have encrypted data using OpenPGP or S/MIME and I won't decrypt it in the email context. Am I safe?
What happens if there are quotes in the encrypted email?
What is PGP and S/MIME encryption?
Both technologies add an additional layer of security to your email communication. If used properly, both technologies should guarantee confidentiality and authenticity of your email messages even if an attacker has full access to your email account. The EFAIL attacks break this additional encryption layer.

What are the EFAIL attacks?
The EFAIL attacks break PGP and S/MIME email encryption by coercing clients into sending the full plaintext of the emails to the attacker.

Are there CVEs for EFAIL?
Yes, there are two official CVE nummers for the CBC/CFB gadget attacks:

CVE-2017-17688: OpenPGP CFB gadget attacks
CVE-2017-17689: S/MIME CBC gadget attacks

Different vendors assigned further CVEs for specific security issues relevant to EFAIL, for example, direct exfiltration attacks.

Who is affected?
Journalists, political activists or whistleblowers use an additional encryption layer, often PGP, because they fear that someone gets access to their email communication. The EFAIL attacks can be used to break this additional encryption layer. This leads to the situation where anyone getting access to their email communication can also read the victims emails even if they use additional PGP encryption. The same attacks apply to S/MIME which is typically used in enterprise infrastructures.

Can you read my emails?
No. The EFAIL attacks require the attacker to have access to your S/MIME or PGP encrypted emails. You are thus only affected if an attacker already has access to your emails. However, the very goal of PGP or S/MIME encryption is the protection against this kind of attacker. For those users who rely on PGP and S/MIME encryption, the EFAIL attacks may be a big deal!

But my emails are TLS encrypted!
TLS is a transport layer encryption technology that encrypts network traffic among email clients and email servers, or between two email servers. However, the emails are processed and stored in plaintext on the servers and in the email accounts. Any attacker getting access to these emails, either via compromising an email account or an email server, can read and change these emails. PGP and S/MIME are used to protect the confidentiality and integrity of emails in case an attacker can already access the emails.

Is my email client affected?
Our analysis shows that EFAIL plaintext exfiltration channels exist for 25 of the 35 tested S/MIME email clients and 10 of the 28 tested OpenPGP email clients. While it is necessary to change the OpenPGP and S/MIME standards to reliably fix these vulnerabilities, Apple Mail, iOS Mail and Mozilla Thunderbird had even more severe implementation flaws allowing direct exfiltration of the plaintext that is technically very easy to execute.

Can I find out whether I have already been attacked?
Not for sure. You can of course search in your inbox for malicious emails indicating EFAIL attacks. A strong indication for these attacks could be, for example, malformed emails with unclosed img tags followed by encrypted content, or encrypted content that exfiltrates the plaintext to foreign URLs. However, note that emails are encrypted with the keys of sender as well as all receivers. The attacker can target any of these parties to exfiltrate content that is important to you. In advanced attack scenarios where the attacker is in control of the email server, she could have deleted the malicious emails after the victim has processed them.

I don't send HTML emails. Am I safe?
No. The attacker can change encrypted text/only emails to HTML emails. You need to disable viewing HTML email to increase protection from EFAIL attacks.

I have disabled HTML in my email client. Am I safe now?
Depends. S/MIME or PGP encrypted emails are encrypted with the public keys of all recipients and the sender. The attacker can thus perform the EFAIL attacks if only one of the participants is vulnerable. In order to prevent the EFAIL attacks, all participants must use secure email clients.

Will signatures prevent these attacks?
No. PGP and S/MIME emails are displayed in the email program independently of whether or not they are signed or whether an existing signature is valid or not. Even if signatures did matter: an attacker can copy the altered ciphertext into a separate email and create a valid signature under his own name.

Can you decrypt my own encrypted emails when I lost my private key?
No. The EFAIL attacks target a victim, who is in possession of the private key and who decrypts our prepared emails in an email client. If the private key is lost, the EFAIL attacks won't help recovering encrypted messages.

Do I need to revoke my certificate or public key?
No. Using the EFAIL attacks, the attacker can retrieve the plaintext of encrypted OpenPGP and S/MIME messages. She does not get direct access to the private key.

I have encrypted data using OpenPGP or S/MIME and I won't decrypt it in the email context. Am I safe?
For now yes. There may be edge cases though that we hadn't looked into. For example, if you encrypted a directory with sensitive files, an attacker could change these encrypted files to contain false information or even malware. If a victim decrypts the directory and opens any of the files, malware or even just an HTML file could be used to exfiltrate plaintext or even compromise the system.

What happens if there are quotes in the encrypted email?
Quotes in the plaintext might end the URL that is used to exfiltrate the plaintext so that either the bytes after the quote are not exfiltrated or that the exploit may not work at all. Because of the properties of the CBC and CFB modes of operation, an attacker can split a single S/MIME or PGP ciphertext into multiple parts and exfiltrate each independently with separate HTML tags (but still in one email). If one part contains quotes then only the residual plaintext bytes in that part are missing. There is a whole zoo of techniques that the attacker can use to exfiltrate the full plaintext despite these technical obstacles.

Responsible Disclosure
We have responsibly disclosed our findings to the affected vendors who have applied (or are in the process of applying) countermeasures. Please note that in general these countermeasures are specific hotfixes and we cannot rule out that extended attacks with further backchannels or exfiltrations will be found. Moreover, even if all backchannels are closed, both standards are still vulnerable to attacks where the attacker can modify email content or inject malicious code into attachments which get executed in a context beyond email client.

We informed German CERT and BSI about our attacks in December 2017. They forwarded all the relevant information to other CERTs and companies.

We disclosed our attacks to the GnuPG developers on the 24th of November 2017. Further clients are listed below. For reference we also include case numbers and CVEs if they have been assigned.

Attacks on S/MIME clients:

  • Due to the amount of disclosed products we have missed communication with this vendor.

Attacks on PGP clients:

Direct exfiltration attacks:

Coverage
Electronic Frontier Foundation
MAY 13, 2018
Attention PGP Users: New Vulnerabilities Require You To Take Action Now
https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now

Ars Technica
MAY 14, 2018
Critical PGP and S/MIME bugs can reveal encrypted e-mails. Uninstall now
https://arstechnica.com/information-technology/2018/05/critical-pgp-and-smime-bugs-can-reveal-encrypted-e-mails-uninstall-now/

Golem
MAY 14, 2018
PGP und S/MIME abschalten
https://www.golem.de/news/e-mail-verschluesselung-pgp-und-s-mime-abschalten-1805-134359.html

Last updated May 14, 2018 | The Efail website free to use under GPL | Logo designed by Jana Runde and Zuzana Somorovska (free to use under a CC0 license) | Imprint

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

To listen to the audio version of this article click on the play image.

Brought to you by @tts. If you find it useful please consider upvote this reply.

Hi @defango, just letting you know why i removed my vote for your very informative post. It was pointed out to me that several of the paragraphs are copy and pasted directly from gizmoto and eff articles. You did provide the sources but i couldn't distinguish your own writing from the original articles. I did enjoy the video so am still upvoting at a reduced amount.

·

It was indicated with all the links and things also in the video I made about it. really thanks alot?

·
·

If you take a few seconds to indicate quotations using (>), I'll certainly reconsider.

quote

·
·
·

whats that like a quote button??

(>test)

·
·
·
·

Yes, it's a markdown feature. try using simply ">" (without quotations)

check, check

·
·
·
·
·

Ya I tried that and really it's pretty stupid for me to have to do it when I clearly have the link on the website and said it.

I'll just have to say it really not cool of "steemians" who build up peoples steemit account with votes only to take them away based on very limited information. it clearly says its from the website and I should not be bullied into having to do anything.

Right now I want you to realize that your not only messing with my life, you are manipulating me with this plaform and that just plain isnt cool. I was wondering why I was getting votes so big and I thought it was because people liked my content and Now I see you just got a big delegation and you are not using to force people to do things. It's really sad because I thought I was going to be ok with all the upvotes I was getting but now I see you were just loading me up to take it away. That's so not cool.

Sorry I'm not going to be changing my setup just for you because you incorrectly judged the system. I'll try to do it in the future. Great Now I can go back to being poor because appearently all the fucking videos and work I do is not good enough for v4vapid. T\

·
·
·
·
·
·

le sigh
I also removed a vote from this post when I found out it was plagiarized . Both v4vapid and myself have supported a lot of your content, and assumed you wouldn't just be copy pasting entire articles. To try and guilt trip him for removing his vote on an article you did next to no original work on is ridiculous. Why should you be held to different standards as everyone else we support ?

·
·
·
·
·
·
·

le whatever, I dont copy and paste entire articles and I cover all my information clearly in video. it's such a pain dealing with all the ego's around here who aparently know better and throw around weight without any understanding of how content generation works.

Thanks for the Guilt Trip.

If you block your email client from downloading any remote content does this block the attack?

·

No you need to update the client you are using

What kind of a weirdo uses PGP but enables a gaping security hole like turning on HTML rendering in their email client? I know thunderbird has it off by default and you have to manually click in each email if you want to enable HTML.

It's still a notable exploit but i really don't see this being much of an issue for the average user of PGP. Am I missing something? Why are these articles telling people to stop using PGP? PGP is fine, HTML rendering in emails is the issue, and that's ALWAYS been a security risk.