IT disaster recovery, cloud computing and information security news

University researchers show that standard email encryption methods can be hacked

A research team from the University of Applied Sciences (FH) in Münster, Horst Görtz Institute for IT Security at Ruhr-Universität Bochum (RUB), and Katholieke Universiteit Leuven has demonstrated that the two most common email encryption standards are vulnerable to attacks.

Their attack, referred to as Efail, proved successful in 25 out of 35 tested email programs using the S/MIME encryption standard and in 10 out of 28 tested programs using OpenPGP. The program developers have been informed and have fixed the security gaps. The experts urgently recommend updating the underlying cryptographic algorithms in order to withstand any potential attacks in future. Detailed information on their attack has been published at https://efail.de/.

A realistic attack scenario

Emails are encrypted in order to hide their contents from network providers, cybercriminals, and intelligence services who might gain access to them via hacked routers, an email server, or by recording a message during transmission.

The intercepted message is manipulated by the attacker as he/she adds his/her own malicious commands in encrypted form. Thus altered, the message is sent to one of the recipients or to the sender, i.e. where the data is stored that's necessary for deciphering it.

After the message has been deciphered, the inserted commands cause the victim's email program to establish a communication connection with the attacker the next time the email is opened. This form of communication is pretty much standard when, for example, images or design elements in emails are loaded. Via that connection, the decoded email is then sent to the attacker who can read them. The researchers named this novel attack method ‘Exfiltration with Malleability Gadgets’.

Enterprise, journalist, whistleblower

The email encryption standards S/MIME - short for Secure/Multipurpose Internet Mail Extensions - and OpenPGP have been in use since the 1990s. S/MIME is frequently deployed by enterprises that encrypt all outgoing and decrypt all incoming emails..

The underlying cryptography hasn't been updated since the 1990s, even though better techniques have long been available.

"This type of cryptography has been broken more than once in other Internet standards, e.g. in TLS, short for Transport Layer Security, a protocol for the encryption of online data transmission. We have now demonstrated for the first time that it is also vulnerable as far as email encryption is concerned," explains Prof Dr Jörg Schwenk from the Chair for Network and Data Security at RUB.

In the case of S/MIME, the successful attack has shown that the current standard is not suitable for secure communication, say the researchers. Additionally, while OpenPGP can be configured and used securely, this is often not the case as showed in the researchers’ practical analyses and should therefore also be considered insecure.



Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.