EFail is Not a Failure of Encryption

May 25, 2018

EFail is another security problem related to email, but it has more to do with bad programming than busted encryption.

When one sees headlines like “Encrypted Email Has a Major, Divisive Flaw,” a panic attack may ensue because there’s no longer a secure way to send email. Fortunately, that’s not the case with the EFail vulnerability. There’s a vulnerability, but the underlying security technology remains secure. It’s one of many security-related problems, like the OpenSSL Heartbleed bug, caused by bad programming practices or a bad implementation, rather than an inherent error in the underlying security approach.

EFail is actually a set of problems in some email clients that utilize PGP and S/MIME security protocols for encryption and authentication for HTML emails. The details of the EFail vulnerability highlight the direct exfiltration attack and the CBC/CFB Gadget attack. In general, they exploit loopholes in the email security implementations that allow the email clients to do the work of decrypting data. The actual attacks are more involved, but there are simple ways to mitigate some of them.

What EFail does highlight is the need to examine not only the security stacks one might use in an embedded project, but how they’re used. It’s also important to examine where security-critical data resides, is used, and how it moves through the program. Finally, security in depth will often come into play as mitigation of security-related problems can only occur if the mitigation process isn’t compromised.

One other issue that’s often not discussed with respect to security is intrusion/threat detection and monitoring. It’s a discussion typically heard in enterprise networking scenarios, but not as much in embedded environments. This includes tools like Snort, OSSEC, and Tripwire.

The bottom line is that security doesn’t start and end with an encrypted link from an embedded device to a cloud service. Security needs to be included as part of a design, as well as having developers with the proper understanding of security and its components and how they relate to the applications, middleware, and operating systems being used for an embedded solution.

One should not discount problems simply because they’re discovered in things like email clients designed for end users. In EFail’s case, this included email clients like Thunderbird and Apple Mail. Many times, the problems are related to underlying support that’s just as likely to show up in an embedded system—often with the same code.

Www Electronicdesign Com Sites Electronicdesign com Files Source Esb Looking For Parts Rev Caps

About the Author

William G. Wong | Senior Content Director - Electronic Design and Microwaves & RF

I am Editor of Electronic Design focusing on embedded, software, and systems. As Senior Content Director, I also manage Microwaves & RF and I work with a great team of editors to provide engineers, programmers, developers and technical managers with interesting and useful articles and videos on a regular basis. Check out our free newsletters to see the latest content.

You can send press releases for new products for possible coverage on the website. I am also interested in receiving contributed articles for publishing on our website. Use our template and send to me along with a signed release form.

Check out my blog, AltEmbedded on Electronic Design, as well as his latest articles on this site that are listed below.

You can visit my social media via these links:

I earned a Bachelor of Electrical Engineering at the Georgia Institute of Technology and a Masters in Computer Science from Rutgers University. I still do a bit of programming using everything from C and C++ to Rust and Ada/SPARK. I do a bit of PHP programming for Drupal websites. I have posted a few Drupal modules.

I still get a hand on software and electronic hardware. Some of this can be found on our Kit Close-Up video series. You can also see me on many of our TechXchange Talk videos. I am interested in a range of projects from robotics to artificial intelligence.