Electronicdesign 22281 Efail Promo
Electronicdesign 22281 Efail Promo
Electronicdesign 22281 Efail Promo
Electronicdesign 22281 Efail Promo
Electronicdesign 22281 Efail Promo

EFail is Not a Failure of Encryption

May 25, 2018
EFail is another security problem related to email, but it has more to do with bad programming than busted encryption.

When one sees headlines like “Encrypted Email Has a Major, Divisive Flaw,” a panic attack may ensue because there’s no longer a secure way to send email. Fortunately, that’s not the case with the EFail vulnerability. There’s a vulnerability, but the underlying security technology remains secure. It’s one of many security-related problems, like the OpenSSL Heartbleed bug, caused by bad programming practices or a bad implementation, rather than an inherent error in the underlying security approach.

EFail is actually a set of problems in some email clients that utilize PGP and S/MIME security protocols for encryption and authentication for HTML emails. The details of the EFail vulnerability highlight the direct exfiltration attack and the CBC/CFB Gadget attack. In general, they exploit loopholes in the email security implementations that allow the email clients to do the work of decrypting data. The actual attacks are more involved, but there are simple ways to mitigate some of them.

What EFail does highlight is the need to examine not only the security stacks one might use in an embedded project, but how they’re used. It’s also important to examine where security-critical data resides, is used, and how it moves through the program. Finally, security in depth will often come into play as mitigation of security-related problems can only occur if the mitigation process isn’t compromised.

One other issue that’s often not discussed with respect to security is intrusion/threat detection and monitoring. It’s a discussion typically heard in enterprise networking scenarios, but not as much in embedded environments. This includes tools like Snort, OSSEC, and Tripwire.

The bottom line is that security doesn’t start and end with an encrypted link from an embedded device to a cloud service. Security needs to be included as part of a design, as well as having developers with the proper understanding of security and its components and how they relate to the applications, middleware, and operating systems being used for an embedded solution.

One should not discount problems simply because they’re discovered in things like email clients designed for end users. In EFail’s case, this included email clients like Thunderbird and Apple Mail. Many times, the problems are related to underlying support that’s just as likely to show up in an embedded system—often with the same code.

Sponsored Recommendations

Board-Mount DC/DC Converters in Medical Applications

March 27, 2024
AC/DC or board-mount DC/DC converters provide power for medical devices. This article explains why isolation might be needed and which safety standards apply.

Use Rugged Multiband Antennas to Solve the Mobile Connectivity Challenge

March 27, 2024
Selecting and using antennas for mobile applications requires attention to electrical, mechanical, and environmental characteristics: TE modules can help.

Out-of-the-box Cellular and Wi-Fi connectivity with AWS IoT ExpressLink

March 27, 2024
This demo shows how to enroll LTE-M and Wi-Fi evaluation boards with AWS IoT Core, set up a Connected Health Solution as well as AWS AT commands and AWS IoT ExpressLink security...

How to Quickly Leverage Bluetooth AoA and AoD for Indoor Logistics Tracking

March 27, 2024
Real-time asset tracking is an important aspect of Industry 4.0. Various technologies are available for deploying Real-Time Location.

Comments

To join the conversation, and become an exclusive member of Electronic Design, create an account today!