Posted on October 2, 2019 at 3:14 PM

Researchers Expose Flaw That Allows Hackers To Access Encrypted PDFs

Cybersecurity is one of the most pressing matters in recent years as the world becomes more digitally inclined. Governments and concerned regulatory bodies are continually working on improving the laws surrounding cybersecurity as they seek to protect citizens from the potential harm that could come as a result of hacks and other forms of cyberattacks. As attempts to make digital spaces more secure, flaws in existing systems are exposed, and it is these flaws that need to be addressed.

PDFs susceptible to hacks

German researchers have revealed that they have discovered a technique through which one can access the contents of encrypted or password-protected PDF files. The research has shown that PDF files are not as secure as many users would have thought, and this places a lot of information and data held in PDF systems at risk.

Academics from Münster University of Applied Sciences and Ruhr University Bochum, both in Germany, released a paper that breaks down two variations of an attack on PDF files that left these files exposed. Over 23 popular PDF viewers were tested, and many of these were defenseless against this attack. Some of the PDF viewers involved include Evince, Chrome’s built-in PDF viewer, and Adobe Acrobat Reader. The paper released by academics is titled Practical Decryption exFiltration: Breaking PDF Encryption.

New Paper: “Practical Decryption exFiltration: Breaking PDF Encryption“ describing new attacks that uncover the plaintext of encrypted PDFs. To be presented at @acm_ccs and joint work with @jensvoid @Murgi @v_mladenov @CheariX @JoergSchwenk. #PDFex 1/n pic.twitter.com/1LjaHijRGs

— Sebastian Schinzel (@seecurity) September 30, 2019

The methods used to access PDF documents

The first of the two attack methods discovered by the researchers is called PDFex, and it focuses on attacking the weaknesses that lie in the standard encryption software that is built-in PDF files. It does not seem to break the password set on the PDF document, but it exploits the partial encryption that is found in the PDF. Exploiting the weakness in this partial encryption allows PDFex to exfiltrate the content carried in the document once the PDF’s rightful user opens the file.

Essentially, an attacker can ensure that once a password protected PDF file is opened with the correct password, a copy of the information contained in the document is automatically transferred to the attacker. The hacker could be using a remote server or JavaScript code to which the data will be sent. The attacker mixes ciphertexts with plaintexts which allows the loading of external resources onto the PDF. This direct exfiltration of data does not require any user interaction, which makes it even more dangerous.

The second method that the researchers have revealed is similar to the first, but this one makes use of the encrypted parts of the PDF document. The attacker will use a cryptography process called malleability to change pieces of ciphertext into another ciphertext. It does this using the Cipher Block Chaining (CBC) mode.

For CBC mode to work, the attacker has to know part of the text carried in the PDF file. This is because to encrypt the data, CBC mode uses a chaining mechanism. Each bit of plaintext is linked to the next block of ciphertext. This then allows a hacker to gain access to data carried in the PDF file and manipulate it according to the researchers.

Working to protect PDF users and reader providers

The researchers have provided their findings to any vendors that may be affected by such attacks. They also made proof of concept exploits for PDFex attacks available for the public. For this group of researchers, the ultimate aim is for PDF users to have safety in their use of this document type and for providers of PDF viewing services to have as much protection as possible on their software.

The team that worked on the research about these attack methods said that many of the widely used data formats allow partial encryption of the contents of a PDF file. This method of encryption makes it easy for an attacker to manipulate the content carried in the file and include their own data. This makes it possible for the attacker to create exfiltration channels on the document.

To add an extra layer of protection, the researchers said that support for PDF files that are not fully encrypted should be dropped. Alternatively, the providers of PDF viewers can implement policies that ensure that unencrypted files do not have access to any encrypted data. In the long term, they propose that the PDF 2.x specification should completely do away with mixed content.