Menu
Researchers claim popular encrypted email standards are vulnerable to attack

Researchers claim popular encrypted email standards are vulnerable to attack

The researchers have informed email providers of their findings

European researchers have found that the popular PGP and S/MIME email encryption standards are vulnerable to being hacked and they urge users to disable and uninstall them immediately.

University researchers from Muenster and Bochum in Germany, and Leuven in Belgium, discovered the flaws in the encryption methods that can be used with popular email applications such as Microsoft Outlook and Apple Mail.

"There are currently no reliable fixes for the vulnerability," lead researcher Sebastian Schinzel, professor of applied cryptography at the Muenster University of Applied Sciences, said on Monday.

"If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now."

The team had been due to publish its full findings on Tuesday but rushed them out after the news made waves among the community of encrypted email users that includes activists, whistleblowers and journalists working in hostile environments.

Titling the exploit 'Efail', they wrote that they had found two ways in which hackers could effectively coerce an email client into sending the full plaintext of messages to the attacker.

There's no immediate suggestion that spy agencies or state-sponsored hackers have already used the technique to burrow into people's emails.

The researchers have informed email providers of their findings, under so-called responsible disclosure, and it now falls to others to establish whether the exploits can be replicated.

Direct exfiltration

In the first exploit, hackers can 'exfiltrate' emails in plaintext by exploiting a weakness inherent in Hypertext Markup Language (HTML), which is used in web design and in formatting emails.

Apple Mail, iOS Mail and Mozilla Thunderbird are all vulnerable to direct exfiltration, they said.

A second attack takes advantage of flaws in OpenPGP and S/MIME to inject malicious text that in turn makes it possible to steal the plaintext of encrypted emails.

The vulnerabilities in PGP and S/MIME standards pose an immediate risk to email communication including the potential exposure of the contents of past messages, said the Electronic Frontier Foundation (EFF), a US digital rights group.

In a blog post, the EFF recommended that PGP users uninstall or disable their PGP email plug-ins while the research community evaluates the seriousness of the flaws reported by the European research team.

It also said that users should switch for the time being to non-email-based secure messaging apps such as Signal for sensitive communications.

Germany's Federal Office for Information Security (BSI) said in a statement there were risks that attackers could secure access to emails in plaintext once the recipient had decrypted them.

It added, however, that it considered the encryption standards themselves to be safe if correctly implemented and configured.

"Securely encrypted email remains an important and suitable means of increasing information security," it said in a statement, adding that the flaws which have been discovered can be remedied through patches and proper use.

PGP - short for Pretty Good Privacy - was invented back in 1991 by Phil Zimmermann and has long been viewed as a secure form of end-to-end encryption impossible for outsiders to access. Zimmermann is co-founder and chief scientist of Silent Circle, an encrypted communications firm.

PGP has in the past been endorsed, among others, by Edward Snowden, who blew the whistle on pervasive electronic surveillance at the U.S. National Security Agency before fleeing to Russia.

PGP works using an algorithm to generate a 'hash', or mathematical summary, of a user's name and other information. This is then encrypted using the addressee's public 'key' and decrypted on receipt using their private key.

To exploit the weakness, a hacker would need to have access to an email server or the mailbox of a recipient. In addition the mails would need to be in HTML format and have active links to external content to be vulnerable, the BSI said.

It advised users to disable the use of active content, such as HTML code and outside links, and to secure their email servers against external access.

(By Douglas Busvine; Editing by Matthew Mpoke Bigg)


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securityemailencryption

Featured

Slideshows

Ingram Micro maintains Showcase 2018 momentum in Wellington

Ingram Micro maintains Showcase 2018 momentum in Wellington

Ingram Micro maintained Showcase 2018 momentum in Wellington, hosting more than 40 vendors at TSB Arena. Under the banner of Leading the Way, the event demonstrated what’s new, what’s next and how it can be used to improve business and everyday life.

Ingram Micro maintains Showcase 2018 momentum in Wellington
Ingram Micro launches Showcase 2018 in Christchurch

Ingram Micro launches Showcase 2018 in Christchurch

Ingram Micro kickstarted Showcase 2018 in Christchurch, hosting more than 40 vendors at Horncastle Arena. Under the banner of Leading the Way, the event demonstrated what’s new, what’s next and how it can be used to improve business and everyday life.

Ingram Micro launches Showcase 2018 in Christchurch
Data breach notification laws in NZ: How can partners prepare?

Data breach notification laws in NZ: How can partners prepare?

This exclusive Reseller News Roundtable outlined the responsibilities facing security partners today, assessing risk while evaluating the role of the vendor in providing added layers of protection.

Data breach notification laws in NZ: How can partners prepare?
Show Comments