Email Encryption Standards Are Vulnerable to Hacking

Technology > Security

A man hacking a laptop. / Photo by: Getty Images


/MIME and OpenPGP, the two most common email encryption standards, are susceptible to hacking using the Efail attack, based on a study by researchers from the University of Applied Sciences (FH) in Münster, Horst Görtz Institute for IT Security at Ruhr-Universität Bochum, and the Katholieke Universiteit Leuven, according to the RUB News.

Encryption is a common feature in emails to prevent hackers and cybercriminals from illegally gaining access to content through compromised routers and email servers or by recording a message during transmission. Sebastian Schinzel, a professor from the Department Electrical Engineering and Computer Science at FH Münster, said it is a very realistic scenario in the aftermath of the Snowden whistleblowing crisis and numerous email server attacks.

Hackers can manipulate the intercepted message by adding their own malicious commands in encrypted form. The altered message is then sent to where the data is stored that's necessary for deciphering it -- either the recipient or the sender. When the message has been deciphered, the inserted commands will force the victim's email program to establish a communication link with the hackers the next time the email is opened. Via that connection, the decoded email is rerouted to the hackers who are now able to read the contents. This form of hacking was dubbed “Exfiltration with Malleability Gadgets” by the research team. 

S/MIME or Secure/Multipurpose Internet Mail Extensions and OpenPGP have been used since the 1990s. S/MIME is frequently used by organizations in encrypting all outgoing emails and decrypting all incoming emails. On the other hand, OpenPGP is preferred by individuals such as journalists covering war-torn areas or by whistleblowers like Edward Snowden. But the cryptography in the two email standards has not been updated since the 1990s even if the means of doing it have been available for a long time now.