The two common types of email encryption are not as secure as previously thought, German researchers have found. Both Windows and Apple users could be affected by the “Efail” problem.
14 May 2018 | Staff | DW
Encryption used by most email software — from Outlook and Windows Mail to Thunderbird and Apple Mail — can be intercepted by hackers who can read at least parts of the written text, a German-led research team announced on Monday.
Academics from Münster University of Applied Sciences, along with their peers at Ruhr University Bochum and KU Leuven in Belgium, said they were able to break two types of encryption that until now were so secure that even intelligence agencies couldn’t penetrate them.
Several tests, which were overseen by reporters from German daily Süddeutsche Zeitung (SZ) as well as public broadcasters NDR and WDR, showed severe weaknesses in the S/MIME and OpenPGP standards.
During the tests, which have been quickly dubbed “Efail” by German media, the team was able to trick computers into covertly forwarding them decrypted messages.
‘No guarantee of security’
The researchers warned that both tools can no longer sufficiently guarantee the security of encrypted messages.
S/MIME — which is primarily used by corporations to protect the security of their emails — was described as irreparably broken.
The more open-source PGP, which stands for Pretty Good Privacy, also has serious problems that leave it vulnerable to certain attacks, the team said.
PGP is used by activists, journalists and whistleblowers, including Edward Snowden, who revealed details of pervasive electronic surveillance by US intelligence agencies before fleeing to Russia.
PGP uses an algorithm to generate a “hash,” or mathematical summary, of a user’s name and other information. This is then encrypted with the sender’s private “key” and decrypted by the receiver using a separate public key.
Vulnerable to hackers
To exploit the weakness, a hacker would need to have access to an email server or the mailbox of a recipient. In addition, the mails would need to be in HTML format and have active links to external content to be vulnerable.
The team’s lead researcher, Sebastian Schinzel, admitted that: “Email is no longer a secure communication medium.”
He warned on Twitter that “there are currently no reliable fixes for the vulnerability.”
SZ described the findings as “so devastating that confidence in encrypted emails is likely to be lost, at least for the foreseeable future.”
Germany’s Federal Office for Information Security (BSI) admitted that the findings constituted “a serious security breach.”
But it said that, correctly used and configured, both forms of encryption remained secure. To prevent a breach, the BSI said that users needed to secure access to their mailboxes and prevent their email clients from loading HTML code from external websites.
The German media outlets that worked on the story said that Microsoft and Apple had been informed of the vulnerabilities.
Read This Day from Hawkins Bay Dispatch