The past three days have highlighted the potential perils that can threaten people who rely on desktop computers to send encrypted messages. The events—which involve encrypted email and the desktop versions of the Signal and Telegram messaging programs—should in no way discourage people from using encryption. They do, however, provide important teaching moments about the often overlooked limitations of these apps.
Monday brought word of decade-old flaws that might reveal the contents of PGP- and S/MIME-encrypted emails. Some of the worst flaws resided in email clients such as Thunderbird and Apple Mail and offer a golden opportunity to attackers who have already intercepted previously sent messages. By embedding the intercepted ciphertext in invisible parts of a new message sent to a sender or receiver of the original email, attackers can force the client to leak the corresponding plaintext. Thunderbird and Mail have yet to be patched, although the Thunderbird flaw has been mitigated by a update published Wednesday in the Enigmail GPG plugin.
In an advisory published Wednesday, the researchers demonstrated the severity of the flaw by writing a proof-of-concept exploit that uploaded messages to an attacker-controlled server. The exploit worked by pulling code off of an Internet-connected SMB drive and then executing it on a Windows computer running the vulnerable version of Signal. Here’s a video demonstration:
The researchers said the same technique had the potential to make “wormable” exploits, meaning they would spread from vulnerable machine to vulnerable machine with no user interaction required. Again, with the patch that Signal issued on Monday, that vulnerability no longer exists.
The flaw came to light only a few days after the disclosure of another weakness in Signal desktop that allowed messages that were supposed to self-delete after a set period of time to live on indefinitely deep inside the macOS file system. Signal developers fixed that bug as well after researchers privately reported it.
Also on Wednesday, researchers with Cisco’s Talos team disclosed the existence of malware infecting thousands of people using Telegram desktop. The malware steals log-in credentials, text files, and other potentially sensitive data and stores it in accounts that can be accessed by anyone who analyzes the malware code. The malware gets installed by tricking people into clicking on executable files. It was created by someone who posted several videos on YouTube showing how to use the malware, presumably in an attempt to sell the malware to other attackers.
The threats involving encrypted email, Signal desktop and Telegram desktop are different in several important respects. The first involves flaws that are more than 10 years old that were or still are in dozens of email clients and various encryption implementations. The second threat affected Signal desktop for about one month (mobile versions were never vulnerable). The third doesn’t exploit any vulnerability at all in Telegram, since (1) developers are clear the desktop version doesn’t provide secret chats and (2) the malware relies on social engineering of a user.
Still, one common thread is that all three threats involved encrypted messaging platforms that are trusted by huge numbers of users.
“The takeaway is really that there is no completely secure code,” Craig Williams, a Cisco researcher and director of outreach for Cisco’s Talos security team, told Ars. “There is no magic unhackable OS. Every single time you choose to use something and trust it with a secret you are making a choice based on trust. The more people we have looking at code for bugs the more we can trust it. Each time we find things like this it’s a good thing.”
Knowing that even trusted software can be hacked means users need to maintain a measured level of paranoia rather than placing blind trust in encryption. And that, in turn, means taking steps to decrease what security practitioners call “attack surface.” The most effective way to reduce attack surface for PGP email is to disable its integration in email programs and instead use a separate application for encrypting and decrypting messages. Many people have rejected this approach as unnecessarily burdensome, even though this was precisely the advice Edward Snowden gave then-Guardian reporter Glenn Greenwald in this 2013 video tutorial (starting around 8:15). At a minimum, decreasing PGP attack surface requires turning off HTML remote image loading in email.
It’s harder to draw actionable takeaways from the Signal and Telegram threats. One possible conclusion is that it’s probably safer to run these apps on mobile devices, because those platforms have application sandboxing that prevents them from interacting with as many resources as their desktop counterparts. The truly paranoid should consider forgoing the convenience of these desktop versions, or at a minimum manually wiping the most sensitive messages from hard drives as soon as practical. And, of course, people should always remember that no form of encryption will save users when one of the endpoints is compromised.
No, none of these suggestions for securing encrypted communications is foolproof, and that’s the biggest takeaway from the past three days.