Academics Devise Attacks Targeting Email End-to-End Encryption

A group of academic researchers has devised practical attacks against major standards in email end-to-end encryption, which could lead to the exfiltration of sensitive information.

The proposed attacks target the OpenPGP and S/MIME encryption schemes, and can be used to leak private keys and other data, researchers with the Ruhr University Bochum and Münster University of Applied Sciences explain in a newly published paper.

One of the proposed attack models considers the adversary as being located between the communication partners and able to conduct a man-in-the-middle (MitM) attack (such as an internet or email provider, or a compromised SMTP or IMAP server).

The second model abuses the mailto URI scheme, which allows third-party apps to invoke an email client to facilitate the composition of a message to a given email address. The various parameters that the mailto URIs pass to the email client, including the header, can be abused as attack vectors.

“An evaluation shows that 8 out of 20 tested email clients are vulnerable to at least one attack. While our attacks do not target the underlying cryptographic primitives, they raise concerns about the practical security of OpenPGP and S/MIME email applications,” the researchers explain.

In their paper, the researchers demonstrate that a design flaw in the key update mechanism can be abused by an attacker to silently replace the public keys that are used in encrypted S/MIME communications.

The academics also show that standard mailto parameters can be abused to trick the email client into decrypting ciphertext messages or signing arbitrary messages and sending them to the attacker, provided that auto-saving of drafts is supported.

Not only can an attacker leak the plaintext of PGP-encrypted messages or abuse the victim email client as a signing oracle, but they can also exfiltrate the PGP private key through a specially crafted mailto URI scheme, and even leak other files on the disk, the researchers say.

They tested their attacks on a list of 20 popular email clients, supporting either S/MIME or OpenPGP, from a list of more than 50 clients for all major platforms (Windows, Linux, macOS, Android, iOS, and web).

“Using six email clients supporting S/MIME, we could silently replace the encryption key in the scenario of an active MitM attacker. For three OpenPGP capable clients we could exfiltrate the plaintext to an attacker controlled IMAP server or misuse them as signing oracles. Four clients support the dangerous mailto parameter to attach arbitrary files such as PGP private keys on disk to an email message sent back to the attacker,” the paper reads.

The identified vulnerabilities have been reported to the affected vendors and received the following CVE identifiers: CVE-2020-4089, CVE-2020-11879, CVE-2020-11880, CVE-2020-12618, and CVE-2020-12619. In their paper, the researchers also provide information on recommended countermeasures, urging vendors to improve email end-to-end security.

Related: Bill Aimed at Ending ‘Warrant-Proof’ Encryption Introduced in House

Related: Inside GCHQ’s Proposed Backdoor Into End-to-End Encryption

Related: Tech Companies Partner to Securely Connect IoT to Cloud