WithSecure has issued an advisory over the way Microsoft encrypts messages in Office 365. The problem is due to Microsoft choosing to use the Electronic Cookbook (ECB) block cypher confidentiality mode as defined by the US National Institute of Science and Technology (NIST). It is now accepted that this mode is flawed, but a replacement is not due until 2023.
The result is that all messages sent using Office 365 Message Encryption (OME) are at risk under certain defined circumstances. This is not just about capturing messages during transmission. Attackers can exploit this against any set of emails, present or historical. As any fix will not fix historic emails, this is another problem where historic data presents risks to an enterprise.
Harry Sintonen, consultant and security researcher at WithSecure, commented, “Attackers who are able to get their hands on multiple messages can use the leaked ECB info to figure out the encrypted contents. More emails make this process easier and more accurate, so it’s something attackers can perform after getting their hands on e-mail archives stolen during a data breach, or by breaking into someone’s email account, e-mail server or gaining access to backups.”
What is not clear is how many emails are required to make this attack possible, WithSecure says, “An attacker with a large database of messages may infer their content (or parts of it) by analyzing relative locations of repeated sections of the intercepted messages.”
What it doesn’t do is define how large that database has to be. Is it thousands, tens of thousands or millions of messages?
How does this attack work?
NIST reports that “The ECB mode encrypts plaintext blocks independently, without randomization; therefore, the inspection of any two ciphertext blocks reveals whether or not the corresponding plaintext blocks are equal.”
Such a comparison would highlight data repeated across messages such as signature blocks or other boilerplate information. That would allow attackers to map the structure of messages.
According to WithSecure, “[A] malicious 3rd party gaining access to the encrypted email messages may be able to identify content of the messages since ECB leaks certain structural information of the messages. This leads to potential loss of confidentiality.”
In its analysis, WithSecure gives examples of recovering image content from messages. However, it stops short of providing examples of body text being recovered. The question is how much can an attacker uncover? Also, how would they leverage it?
What is also important here is that it doesn’t matter what encryption standard is used. Again, WithSecure showed it was able to recover the contents of an image that was encrypted using AES. The failure is not AES but the ECB mode of operation.
What has Microsoft said?
WithSecure gives the timeline from reporting this to Microsoft to the final response. That response:
“The report was not considered meeting the bar for security servicing, nor is it considered a breach. No code change was made and so no CVE was issued for this report.”
The question is how did Microsoft arrive at this conclusion. On the face of it, WithSecure has proven that there is a risk here that can be exploited. It has also pointed to statements from NIST to say the ECB mode is a problem. So why is Microsoft saying there is no problem? Enterprise Times has emailed Microsoft asking for more clarity on why this is not an issue, but, as of the time of writing, has received no response.
What should you do?
At this point, there is no reason to think WithSecure is wrong in its assessment of the risk. Sintonen says, “Any organization with personnel that used OME to encrypt emails are basically stuck with this problem. For some, such as those that have confidentiality requirements put into contracts or local regulations, this could create some issues. And then of course, there’s questions about the impact this data could have in the event it’s actually stolen, which makes it a significant concern for organizations.”
The press release from WithSecure goes further. It states, “Because there is no fix from Microsoft or a more secure mode of operation available to email admins or users, WithSecure recommends avoiding the use of OME as a means of ensuring the confidentiality of emails.”
Making that change is unlikely to be simple for many organisations. Many may have the use of OME codified into their operational procedures. Making a change requires a rethink of those processes and a replacement being found. That will take time to research, test, approve and implement. This is not an overnight fix.
Enterprise Times: What does this mean?
There are multiple issues here. The first and most important is why are the two organisations at odds over the risk faced by the use of ECB? There is no evidence of this being scaremongering by WithSecure. It has provided a clear write-up of how this works and what it was able to do.
The fact that this attack can be carried out against historical records is a major concern. Attackers regularly scoop up large amounts of data that is believed to be secure because it was encrypted. Yet we are already aware that as technology advances, the ability to break that encryption grows. It means historical data gets less secure by the minute.
In this case, it is not about waiting for technology to advance, WithSecure has demonstrated it can be done now. It means that any organisation using OME that has lost data needs to re-evaluate what the potential risk could be to that lost data.
But simply changing things won’t solve the larger issue of older data. What is the risk? How exposed are companies? How many are going to be willing to look back at previous data breaches and assess what this means to those?
