Efail Vulnerabilities Expose Popular Email Encryption Techniques
Target: PGP/S/MIME Users
Attack Vector: Direct exfiltration and Cipher Block Chaining/Ciphertext Feedback CFB Gadget attack.
Summary: A critical flaw, dubbed Efail, has been discovered which affects the way certain email programs handle a popular encryption technology aiming to safeguard emails. It targets the encryption standards of Pretty Good Privacy (PGP) and Secure/Multipurpose Internet Mail Extensions (S/MIME), both similar protocols commonly used by businesses and enterprises. The flaw can affect applications such as Apple Mail, Outlook and Mozilla Thunderbird. The vulnerability allows hackers to read an encrypted email by making changes to its HTML, essentially tricking the affected email applications into decrypting the rest of the message, allowing the attackers to read it in plaintext.
Risk assessment summary: This threat has been assessed as 4c LOW. If successful, attackers have the potential to gain access to sensitive information, including financial data, contained within encrypted emails. However, the Efail attack requires hackers to have a high level of access initially, that in itself, is difficult to achieve. They must be able to intercept encrypted messages before they can exfiltrate them, which lowers the risk of exploitation. Users and businesses who are using PGP and S/MIME hold a greater risk as opposed to businesses using other encryption standards. The flaw appears to be more serious in S/MIME than PGP, as attacking S/MIME is more straightforward and tests have shown a much higher success rate.