FRANKFURT (Reuters) – European researchers have found that the popular PGP and S/MIME email encryption standards are vulnerable to being hacked and they urge users to disable and uninstall them immediately.
FILE PHOTO: WhatsApp and Facebook messenger icons are seen on an iPhone in Manchester , Britain March 27, 2017. REUTERS/Phil Noble -/File Photo
University researchers from Muenster and Bochum in Germany, and Leuven in Belgium, discovered the flaws in the encryption methods that can be used with popular email applications such as Microsoft Outlook and Apple Mail.
“There are currently no reliable fixes for the vulnerability,” lead researcher Sebastian Schinzel, professor of applied cryptography at the Muenster University of Applied Sciences, said on Monday.
“If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now.”
The team had been due to publish its full findings on Tuesday but rushed them out after the news made waves among the community of encrypted email users that includes activists, whistleblowers and journalists working in hostile environments.
Titling the exploit ‘Efail’, they wrote that they had found two ways in which hackers could effectively coerce an email client into sending the full plaintext of messages to the attacker.
There’s no immediate suggestion that spy agencies or state-sponsored hackers have already used the technique to burrow into people’s emails.
The researchers have informed email providers of their findings, under so-called responsible disclosure, and it now falls to others to establish whether the exploits can be replicated.
In the first exploit, hackers can ‘exfiltrate’ emails in plaintext by exploiting a weakness inherent in Hypertext Markup Language (HTML), which is used in web design and in formatting emails.
Apple Mail, iOS Mail and Mozilla Thunderbird are all vulnerable to direct exfiltration, they said.
A second attack takes advantage of flaws in OpenPGP and S/MIME to inject malicious text that in turn makes it possible to steal the plaintext of encrypted emails.
The vulnerabilities in PGP and S/MIME standards pose an immediate risk to email communication including the potential exposure of the contents of past messages, said the Electronic Frontier Foundation (EFF), a U.S. digital rights group.
In a blog post, the EFF recommended that PGP users uninstall or disable their PGP email plug-ins while the research community evaluates the seriousness of the flaws reported by the European research team.
It also said that users should switch for the time being to non-email-based secure messaging apps such as Signal for sensitive communications.
Germany’s Federal Office for Information Security (BSI) said in a statement there were risks that attackers could secure access to emails in plaintext once the recipient had decrypted them.
It added, however, that it considered the encryption standards themselves to be safe if correctly implemented and configured.
“Securely encrypted email remains an important and suitable means of increasing information security,” it said in a statement, adding that the flaws which have been discovered can be remedied through patches and proper use.
PGP – short for Pretty Good Privacy – was invented back in 1991 by Phil Zimmermann and has long been viewed as a secure form of end-to-end encryption impossible for outsiders to access. Zimmermann is co-founder and chief scientist of Silent Circle, an encrypted communications firm.
PGP has in the past been endorsed, among others, by Edward Snowden, who blew the whistle on pervasive electronic surveillance at the U.S. National Security Agency before fleeing to Russia.
PGP works using an algorithm to generate a ‘hash’, or mathematical summary, of a user’s name and other information. This is then encrypted with the sender’s private ‘key’ and decrypted by the receiver using a separate public key.
To exploit the weakness, a hacker would need to have access to an email server or the mailbox of a recipient. In addition the mails would need to be in HTML format and have active links to external content to be vulnerable, the BSI said.
It advised users to disable the use of active content, such as HTML code and outside links, and to secure their email servers against external access.
There’s no need for a hacker to attack a server or network if they can simply trick someone into disclosing confidential information. Microsoft is adding an additional layer of defense to help stop that from happening—if you subscribe to Office 365.
In the coming weeks, Microsoft said it will begin showing what it calls “Safety Tips” at the top of email: colored bars to let you know whether an email is safe, suspicious, or known to be fraudulent. Microsoft said Safety Tips will be managed by Exchange Online Protection, the back-end protection mechanism used to secure email sent through Office 365.
Why this matters: Everyone tells you, don’t click on suspicious links!—and yet we do, because we don’t necessarily think the link is suspicious. It might be a purported email from HR, or from a client, or an urgent request that comes in late on a Friday. Microsoft’s Safety Tips won’t be able to block everything, but it’s an additional layer of security that will make the crook’s job a little harder. Of course, it’s also another reason to subscribe to Office 365.