When one sees headlines like “Encrypted Email Has a Major, Divisive Flaw,” a panic attack may ensue because there’s no longer a secure way to send email. Fortunately, that’s not the case with the EFail vulnerability. There’s a vulnerability, but the underlying security technology remains secure. It’s one of many security-related problems, like the OpenSSL Heartbleed bug, caused by bad programming practices or a bad implementation, rather than an inherent error in the underlying security approach.
EFail is actually a set of problems in some email clients that utilize PGP and S/MIME security protocols for encryption and authentication for HTML emails. The details of the EFail vulnerability highlight the direct exfiltration attack and the CBC/CFB Gadget attack. In general, they exploit loopholes in the email security implementations that allow the email clients to do the work of decrypting data. The actual attacks are more involved, but there are simple ways to mitigate some of them.
What EFail does highlight is the need to examine not only the security stacks one might use in an embedded project, but how they’re used. It’s also important to examine where security-critical data resides, is used, and how it moves through the program. Finally, security in depth will often come into play as mitigation of security-related problems can only occur if the mitigation process isn’t compromised.
One other issue that’s often not discussed with respect to security is intrusion/threat detection and monitoring. It’s a discussion typically heard in enterprise networking scenarios, but not as much in embedded environments. This includes tools like Snort, OSSEC, and Tripwire.
The bottom line is that security doesn’t start and end with an encrypted link from an embedded device to a cloud service. Security needs to be included as part of a design, as well as having developers with the proper understanding of security and its components and how they relate to the applications, middleware, and operating systems being used for an embedded solution.
One should not discount problems simply because they’re discovered in things like email clients designed for end users. In EFail’s case, this included email clients like Thunderbird and Apple Mail. Many times, the problems are related to underlying support that’s just as likely to show up in an embedded system—often with the same code.