Encryption is supposed to protect confidential documents such as medical records or industrial correspondence. Attackers can, however, leak the content of encrypted documents.
Encrypted PDF documents are meant to enable confidential transmission of data. Researchers from Ruhr-Universität Bochum and FH Münster University of Applied Sciences have however demonstrated that attackers are able to manipulate encrypted PDF documents in such a way that they exfiltrate their own content to an attacker’s server, once opened by a legitimate user. The IT experts published their findings on 30 September 2019 online.
Responsible disclosure of vulnerabilities
Due to the large number of affected vendors, the researchers reported the security weaknesses to the Computer Emergency Response Team (CERT) at the German Federal Office for Information Security in May 2019. The group headed by Professor Jörg Schwenk from Horst Görtz Institute for IT Security in Bochum, together with Fabian Ising and Professor Sebastian Schinzel from Institut für Gesellschaft und Digitales at FH Münster University of Applied Sciences, assisted in mitigating the vulnerabilities.
Decrypted content leaked to the attacker
For their study, the researchers assumed that the attacker gains access to an encrypted PDF document, for example by intercepting an email sent to the victim. Even without the password to decrypt the document, the attacker can manipulate the file and hide actions for later execution. He then forwards the manipulated encrypted PDF document to the victim. Once the victim enters the password and opens the document, the hidden action is performed and the decrypted content is automatically sent to the attacker.
Two classes of security vulnerabilities
Two different vulnerabilities – namely direct exfiltration and CBC gadgets – enable the researchers to perform attacks of this kind. The researchers provide an overview of the affected applications on their website.
The researchers recommend that institutions and end-users which rely on PDF encryption should check whether they use an affected version. If so, they should install software updates, if available, or contact their vendor.
Click here for more information.
General note: In case of using gender-assigning attributes we include all those who consider themselves in this gender regardless of their own biological sex.