A group of critical vulnerabilities collectively known as EFAIL have been discovered in popular end-to-end encryption technologies PGP (and its open-source iteration GPG) and S/MIME. These vulnerabilities can be exploited by attackers to decrypt encrypted messages and relay the decrypted information to servers under their control.
OpenPGP has been the end-to-end email encryption protocol of choice for close to three decades, with S/MIME coming in second as the standard alternative to PGP encryption.
The recently discovered EFAIL vulnerabilities, as an academic paper suggests, may very well render PGP/GPG and S/MIME email encryption protocols defunct.
EFAIL Exfiltration Attacks
EFAIL attacks rely on the exfiltration of plaintext messages from the victim’s computer to the attacker’s server. For this to happen, exfiltration channels must first be created.
The attacker does this by intercepting active content relayed by HTML emails. This could be images and styles that have been loaded externally and can be manipulated without the victim’s knowledge.
To create an exfiltration channel, the attacker first has to intercept an encrypted message, whether it’s through spying on the network or by hacking into the victim’s computer. By modifying the contents of an encrypted email in a certain way, they request the plaintext to be relayed through specified URL channels.
Once the victim receives and decrypts the email, the modified email loads external HTML content, sending the plaintext straight to the attacker.
Direct Exfiltration vs. CFB Gadget Attack
EFAIL attacks exist in two variations, the first of which is considerably less complex than the second.
Direct exfiltration affects specific mail clients such as Mozilla Thunderbird, Apple Mail and iOS Mail.
The vulnerabilities in the affected mail clients exist due to how they display HTML content to the user. Direct exfiltration is what involves the alteration of the contents of an encrypted email, the modifications which allow the attacker to create an exfiltration channel through which the decrypted plaintext is relayed back.
CFB Gadget attacks, on the other hand, are more intricate and have a lower success rate but still pose a significant threat to the privacy of individuals using PGP encryption.
The malleability of ciphertext—i.e., its ability to be modified without affecting the message to be decrypted—has given attackers the power to not only intercept but also change the contents of an encrypted email.
This means that an intercepted message could be modified to read completely differently when decrypted.
Modern mechanisms and encryption algorithms have been proposed to tackle this issue of malleability, but OpenPGP does not reinforce integrity checks as it should and as such, messages that have failed the checks are still decrypted and relayed.
Furthermore, integrity checks can be stripped off relatively easily, so there’s not much protection offered by them either.
To prevent this, algorithms were put in place to prevent messages from being decrypted if they failed the integrity check.
But due to the lack of clear guidelines from OpenPGP as to what should happen if a message fails the check, messages are still displayed even without successfully passing the integrity check.
This second element of the EFAIL attack makes it possible for attackers to decrypt messages from the past that still exist on your hard drive.
Solutions and Recommendations
Since the vulnerability was revealed, the straightforward nature of the proof-of-concept has forced security experts, including the Electronic Frontier Foundation, to advise users to stop using PGP and S/MIME encryption plug-ins with immediate effect and until further notice.
As a temporary solution, users can decrypt PGP encrypted emails using offline software by copying and pasting the encrypted message to the decrypting software.
Shutting down HTML rendering in your email client is another temporary barrier to the most prominent EFAIL attack, but it does nothing to prevent attacks via the numerous back channels.
Email vendors are expected to start rolling out patches soon, but these patches are only expected to make the vulnerabilities harder to exploit, not fix them permanently.
The only permanent solution is to update OpenPGP and S/MIME standards, and this is something that could take a considerable amount of time. Until then, users of PGP encryption and S/MIME encryption protocols are advised to steer clear of the two email encryption tools for now.