Talk to sales
Start for free

EFAIL is a set of vulnerabilities discovered in 2018 that affected certain email encryption protocols, such as OpenPGP and S/MIME. These vulnerabilities focused on how email clients processed encrypted emails, specifically how they interacted with encryption software. EFAIL highlighted the importance of reliable implementation and secure handling of encrypted communications to maintain the privacy and security of protected health information (PHI).


Understanding encryption

Email encryption involves encoding the email's contents to ensure it is not accessible to unauthorized persons. Encryption is a requirement of HIPAA as it assures the protection of PHI against potential violations and breaches. The forms of email encryption are:

  1. OpenPGP: Otherwise known as Open Pretty Good Privacy, it uses a combination of encryption techniques to secure emails, providing strong confidentiality.
  2. S/MIME: Secure/Multipurpose Internet Mail Extensions rely on digital certificates to encrypt email content and verify the identity of senders and recipients.
  3. Transport Layer Security (TLS): Encrypts email communication between mail servers, ensuring the data remains secure during transit.
  4. Secure Webmail Service: Some email clients offer built-in encryption within web browsers to keep email content encrypted until it reaches the recipient. 
  5. Gateway Encryption: This adds an extra layer of security by encrypting outgoing emails at the email gateway and decrypting incoming emails before delivery.


Types of EFAIL attacks

CBC/CFB gadget attacks

Cipher Feedback (CBC) and Cipher Block Chaining (CFB) mode attacks exploit OpenPGP and S/MIME encryption vulnerabilities. By manipulating plaintext blocks in the CBC mode, an attacker can inject a malicious image tag into the encrypted plaintext, causing the email clients to unintentionally reveal the plaintext when opened. OpenPGP uses CFB mode, which allows a similar attack using CFB gadgets.


Direct exfiltration attacks

Direct exfiltration attacks target specific email clients like Apple Mail, iOS Mail, and Mozilla Thunderbird. By crafting a multipart email with an unclosed image tag and combining it with encrypted ciphertext, the attacker tricks the email client into sending the plaintext of the encrypted email to the attacker when it requests the image.


How an EFAIL attack can occur

  1. Decrypting and processing of encrypted emails: An encrypted email received by a recipient goes through the decryption process to make the content readable.
  2. Parsing and rendering of HTML elements in encrypted emails: Parsing involves breaking down a complex structure, HTML components such as images or data files, into parts to understand its components and structure. When an email contains these HTML components, parsing is necessary. It is then rendered to ensure it is readable. 
  3. Malicious modification of encrypted email content: Attackers manipulate specific parts of the encrypted email, usually by injecting malicious code or altering the HTML structure.
  4. Unintended disclosure of decrypted content: Upon receipt, this manipulated email triggers a vulnerability in the recipient's encryption implementation. As a result, the email client mistakenly sends back decrypted content to the attacker or performs unintended actions based on the manipulated email.
  5. Unauthorized access to extracted decrypted content: The attacker receives the decrypted content, gaining access to the originally encrypted information without having direct access to the encryption keys.

Note that EFAIL attacks usually require the user to act, like opening a manipulated email or clicking on a harmful link, to succeed. The effects of these attacks can differ based on the email client used and how it handles encryption.


Weaknesses exposed by the EFAIL attack

The 2018 EFAIL attack exposed several vulnerabilities in the email encryption process of email clients that support S/MIME and OpenPGP, which left holes in the protection of PHI. The vulnerabilities include:

  • Inadequate handling of HTML content
  • Improper interaction with encryption software
  • Insufficient input validations
  • The reliance on user-triggered actions for exploitation

These weaknesses in the handling of encrypted emails enabled attackers to exploit vulnerabilities, manipulate the content of the encrypted messages, and subsequently reveal the decrypted information unintentionally. This unintended disclosure exposed encrypted information to the attacker, even without direct access to the encryption keys.


Mitigation and countermeasures

EFAIL-related vulnerabilities have existed for over a decade and present considerable disadvantages to using S/MIME and OpenPGP encryption methods. As such, the following are possible but not foolproof methods of mitigating the risk associated with the use of EFAIL:

  1. Use TLS instead of PGP and S/MIME: Transport Layer Security, or TLS, is an encryption protocol used to secure the communication channel between email clients and email servers. It is the most common method to secure communications among computers or over networks.
  2. No decryption in email service provider: This is considered the best method and involves decrypting S/MIME or PGP emails in a separate application by removing the private keys from your email client. Then copy and paste the ciphertext into the external application for decryption, preventing email clients from opening exfiltration channels. This does come with the disadvantage of requiring additional time and effort compared to decrypting directly within the email client.
  3. Disable HTML rendering: Disabling the rendering of incoming HTML emails in your email client prevents the most common EFAIL attack method. This does not negate the risk of other potential backchannels in email clients unrelated to HTML.
  4. Patching: Some software will release patches to make EFAIL vulnerabilities harder to exploit. 
  5. Update OpenPGP and S/MIME standards: The EFAIL attacks exploit flaws and undefined behavior in the MIME, S/MIME, and OpenPGP standards. Therefore, it is necessary to update these standards, which will take time.

Related: PGP and S/MIME aren't as secure as you think


Alternative options to avoid EFAIL attacks

Considering the threat posed to PHI by the EFAIL vulnerabilities associated with using OpenPGP and S/MIME and the additional effort needed to mitigate EFAIL attacks, exploring alternative email encryption options is worthwhile. HIPAA compliant email services like Paubox, which utilize TLS encryption, provide a secure and user-friendly method of communication that involves less work to avoid possible violations or breaches of data. 


Paubox and TLS

Paubox now uses TLS 1.3 encryption for all of its solutions, including Paubox Email Suite. When you send encrypted email via Paubox, our platform automatically chooses TLS 1.3 as the default encryption choice, an upgrade that helps maintain our position as the market leader for HIPAA compliant email.

But what happens when an email recipient doesn't support encryption? Paubox has patented its unique approach to email security and encryption, particularly when sending email to addresses that don't support TLS. If a TLS connection cannot be established, Paubox stops your message from being delivered in plain text. Instead, recipients get an email telling them to click on a link to view the message and reply via a secure HTTPS website. In today's healthcare environment, guaranteed TLS encryption is essential for email security.

Start a 14-day free trial of Paubox Email Suite today