What You Need to Know About the Encrypted Email Attack eFail
eFail is an email-based attack that is exploiting a vulnerability of a few encrypted email standards. The attack was discovered by a group of German and Belgian researchers who found PGP and S/MIME to be vulnerable.
Is the use of PGP or S/MIME common?
Actually, no. PGP and S/MIME have been around awhile, but it’s difficult to set up, as both the sender and receiver have to exchange keys to encrypt/decrypt messages, and so most people don’t use it.
Should I be concerned?
Chances are if you don’t know whether you are using PGP or S/MIME, you probably aren’t using it.
So how does the attack work? According to news articles, if an attacker can intercept or modify encrypted emails, it would theoretically be possible to exploit how the message will be processed by the email client. Simplified, this means that if one of these two methods for encrypting email is exploited, it could reveal your plain text communications. However, no such exploits have been known to be weaponized or circulated.
While there is no current fix for eFail, there are a few things to note
The attack requires hackers to have a high level of access to your system to begin with. If they don’t have a way of intercepting your encrypted messages, then they are out of luck. However, Sebastian Schinzel, one of the researchers on the project who runs the IT security lab at the Münster University of Applied Sciences, and many others, recommend that you disable the use of PGP/GPG and S/MIME in your email client for any sensitive communication until a fix has been addressed. Users should also deactivate other conveniences, if they haven’t already, like displaying images sent by a sender on default. By setting the PGP plugin to only show the text of the message and none of the formatting or multimedia, you should be in a good spot.
However, it is also recommended that users of the following email clients disable the use of PGP/GPG and S/MIME temporarily:
- Gpg4win on Outlook
- Enigmail on Thunderbird
- GPG Tools on Apple Mail
- Outlook 2013 / 2016 are also vulnerable to some user interaction with S/MIME
To summarize, what can we learn from this latest vulnerability?
- This incident once again reveals widespread use of old and unsupported mail clients like Outlook 2007. If you are still using Outlook 2007 it is time to update to Outlook 2013 or Outlook 2016.
You can almost never go wrong by staying up to date on patching. Patch your email clients and plugins as soon as the updates become available.
- We’ll likely need to wait awhile for an update to the OpenPGP and S/MIME standards, so be patient.