A feature purportedly released to enhance security may actually keep security practitioners up at night.
Earlier this year, Google announced a number of new security features within their G Suite offering that were intended as enhancements to cloud computing, file storage, and email among other areas. Among those enhancements was a feature known as Confidential Mode. Curiously, confidential mode was only made available to consumer Gmail users at the time of release (and remains to be the case as of the time of this writing), but the mode will certainly cause headaches for Google’s paying G Suite customers and the rest of the corporate email world, as the feature – which was purportedly released to enhance security – may actually keep security practitioners up at night.
Confidential mode has three key tenets, as well as some implications, inherent to its architecture:
- Messages cannot be forwarded or shared
- Senders can set the content to expire after a certain amount of time
- Senders can require messages to be protected with an SMS passcode (and always require a user to login with Google credentials)
Notably, the messages themselves are not traditional emails. Instead, they never leave the Google ecosystem and thus always reside on Google’s servers, making content inaccessible to anyone other than the sender and the recipient, except for perhaps Google. This allows for the type of control over the content described above.
Now let us consider the core tenets described above, as well as the architecture, from a security practitioner’s point of view, focusing specifically on how confidential mode allows attackers to evade detection.
At a minimum, most organizations today have some means of combatting malware and credential theft sites by comparing URLs and attachments up against threat intelligence. Because the content of messages sent in confidential mode is inaccessible to anyone other than the recipient due to the message always residing on a Google server, any URLs and/or attachments are not subjected to the scrutiny of any intelligence feeds integrated with email environments. When it comes to malicious URLs being received in confidential messages, the recipient organization is at the mercy of their own third-party tools integrated with their web browsers and/or endpoints or Google’s integrated threat scanning. This all assumes the organization has these types of tools in place and employees are accessing these messages on devices with that security software installed, and that Google is applying the threat intel available to it via VirusTotal to messages being sent in confidential mode (note: initial testing I performed on the latter proved concerning).
Beyond the content being immune to threat intel analysis, the messages themselves cannot be easily shared with information security professionals. Many organizations are reliant upon training and awareness programs or platforms to equip employees with enough know-how to report suspected phishing emails. While studies have shown this is a dubious proposition to begin with (a recent Verizon report indicates that just 17% of all phishing attempts are reported, and – of greater concern – one in 25 recipients will interact with any given phishing attack), Google’s confidential mode completely eliminates the ability for an end user to forward or share these emails very easily. This would require taking a screenshot, but a screenshot does not provide an analyst the data typically accessible in an email – namely headers, URLs, and/or attachments.
To make matters even worse, senders can set the content to expire or manually revoke the message. Attackers have the ability to track who they have sent messages to and, in the event they are attempting to steal credentials, can simply revoke the message in question if and when that user has entered his or her credentials. Even if analysts are able to figure out a means to have users self-report suspicious messages, an attacker could revoke the message before the analyst has an opportunity to perform any kind of research. Additionally, revocation of messages can make it even more difficult for preventive threat intelligence to proliferate, since a signature cannot be created if a URL or attachment isn’t available for analysis.
Finally, because Google requires that non-Google or Gmail users login using Google credentials to view the content of confidential messages, it opens up yet another threat vector that could see end users losing their personal credentials, and we all know how common credential reuse can be. Then there is the potential to phish users who might be expecting an SMS code upon receiving what they believe is a message in confidential mode, but that message is spoofed and the SMS message contains its own credential theft URL.
When considering potential legitimate uses for confidential mode, a handful of scenarios come to mind – most of which center around sharing, well, confidential information: passwords, banking information, photos, etc. That said, there are a number of considerably safer alternatives for all of the aforementioned, from password vaults to document sharing websites to even an old-fashioned phone call.