Skip to main content
Topic: PDF encryption standard weaknesses uncovered (Read 1025 times) previous topic - next topic

PDF encryption standard weaknesses uncovered

PDF files, even with extra encryption, could be easily hacked, a team academics has found.

The new attack, called PDFex, comes in two variations and in testing, it was successfully able to steal data from PDF files in 27 desktop and web PDF readers including Adobe Acrobat, Foxit Reader, Nitro and from Chrome and Firefox's built-in PDF viewers.

PDFex doesn't actually target the encryption used on PDF documents by external software. Instead the attack targets the encryption schemes used by the Portable Document Format (PDF) which means all PDFs are vulnerable regardless of the software used to view them.

While the PDF standard supports native encryption, a team of six academics from Ruhr-University Bocum and Münster University in Germany found issues with the standard's encryption support and leveraged these to create PDFex.

PDFex variations
According to a blog post published by the researchers, encrypted PDF documents are vulnerable to two attacks types that are known by the method used to carry out the attack and exfiltrate data.

The first, known as “direct exfiltration” uses the fact that PDF software doesn't encrypt the entirety of a PDF file and actually leaves some parts unencrypted. By tampering with these unencrypted fields, an attacker can create a booby-trapped PDF file that will attempt to send the file's content back to an attacker when decrypted and opened.

The second PDFex attack variation focuses on the parts of a PDF file that are encrypted. By using CBC gadgets, an attacker can modify the plaintext data stored in a PDF at its source. This means that an attacker can use a CBC gadget to modify the encrypted content to create booby-trapped PDF files that submit their own content to remote servers using PDF forms or URLs.

All of the different variations of PDFex require than an attack be able to modify user's encrypted PDF files. However, to do this they would have to intercept a victim's network traffic or have physical access to their devices or storage.

All in all, PDFex is a major vulnerability in the PDF standard and the research team behind the new attack will be presenting their findings at the ACM Conference on Computer and Communications Security next month.

You would be forgiven for thinking that encrypting PDFs, before they are stored or sent via email, keeps their contents away from prying eyes.

But according to researchers in Germany, it might be time to revisit that assumption after they discovered weaknesses in PDF encryption which could be exploited to reveal the contents of a file to an attacker.

Dubbed ‘PDFex’ (PDF exfiltration), the weaknesses documented in Practical Decryption exFiltration: Breaking PDF Encryption by researchers from Ruhr University Bochum and the Münster University of Applied Sciences, offer two attack methods, each with three variants that depend on which PDF viewer is used to open a target document.

Attack #1 – direct exfiltration
The PDF standard ships with native AES symmetric encryption which secures documents using a password communicated to the recipient (arguably a weakness in itself) or, in some installations, through public key encryption.

However, the researchers quickly discovered a hole in this method, so glaringly obvious that it’s surprising nobody’s noticed it before. The PDF standard allows for partially encrypted documents that include a mix of both encrypted and unencrypted sections, and does not include integrity checking. This means an attacker can add additional sections or interactive Actions to an encrypted PDF without raising any alarms, said the researchers in their overview:

The most relevant object for the attack is the definition of an Action, which can submit a form, invoke a URL, or execute JavaScript.

Actions can be set to run when a document is opened or something within the document is clicked on, and send the decrypted contents to an attacker’s server.

Although conceptually simple, using something like PDF form submission or JavaScript to do this turns out to be complex.

First, the attacker would need to intercept or obtain a copy of the PDF in order to insert the pointers, and would need a channel through which to exfiltrate the stolen data without that being noticed, detected or blocked.

Another unpredictable limitation is the way numerous different PDF viewers process things like JavaScript in order to enforce security.

Powerful, business-grade protection at home.
Play Video  Try for Free
Attack #2 – CBC gadgets
Because not all PDF viewers support unencrypted content in PDFs, the researchers tried a more involved technique that exfiltrates plaintext by manipulating the PDF’s cipher block chaining (CBC) encryption format using something called ‘malleability gadgets’.

In this attack, the researchers exploit the lack of integrity protection to modify the encrypted contents directly:

…an attacker can stealthily modify encrypted strings or streams in a PDF file without knowing the corresponding password or decryption key. In most cases, this will not result in meaningful output, but if the attacker, in addition, knows parts of the plaintext, they can easily modify the ciphertext in a way that after the decryption a meaningful plaintext output appears.

Fortunately – from an attacker’s point of view – the PDF AESV3 (AES256) specification defines 12 bytes of known plaintext…

The researchers tested both techniques against 27 popular PDF viewers and editors to see how successful they would be under real-world conditions, finding a surprising amount of variation between programs.

Nevertheless, all 27 were vulnerable to at least one variant on either attack method, including Adobe Acrobat, Foxit Reader, Evince, Okular, Chrome, and Firefox.

What does this mean? As with other formats that share some of the PDF’s security characteristics (XML, S/MIME, and ePub for instance), there is clearly some work to do in terms of AES-CBC’s integrity protection.

This must be fixed in future PDF specifications and any other format encryption standard, without enabling backward compatibility that would re-enable CBC gadgets.

Thanks to the widespread use of TLS encryption, it would be difficult for attackers to intercept and modify PDFs as they move across a network or the internet, whether the documents themselves are encrypted or not. However, PDFs at rest have been shown to be vulnerable.

If you think it’s worth encrypting your PDFs and you want to be sure they haven’t been tampered with, use a respected third party encryption tool, like GPG.