Researchers from ETH Zurich have uncovered important safety vulnerabilities in a number of extensively used end-to-end encrypted (E2EE) cloud storage companies.
The cryptographic flaws might enable attackers to bypass encryption, compromise file confidentiality, tamper with knowledge, and even inject unauthorised information into customers’ storage.
The examine analysed 5 E2EE cloud storage suppliers—Sync, pCloud, Seafile, Icedrive, and Tresorit—which collectively serve an estimated 22 million customers worldwide. Every of the companies guarantees strong encryption to safeguard information from unauthorised entry, even by the service supplier.
Nonetheless, researchers Jonas Hofmann and Kien Tuong Truong found that 4 of the 5 have extreme flaws that may weaken protections. Introduced on the ACM Convention on Pc and Communications Safety (CCS), their findings spotlight potential gaps within the E2EE safety guarantees made by suppliers.
Tresorit stands out however isn’t flawless
Of the companies examined, Tresorit demonstrated the fewest vulnerabilities, with solely minor dangers of metadata tampering and non-authentic keys throughout file sharing. Though much less extreme, these points might nonetheless pose dangers in sure eventualities. In distinction, the opposite 4 companies exhibited extra substantial safety gaps, growing the possibilities of knowledge publicity or tampering.
Key vulnerabilities and lifelike threats to E2EE
To guage the power of E2EE safety, researchers examined ten completely different assault eventualities, assuming the attacker had already gained management over a cloud server with permissions to learn, modify, or inject knowledge. Although this degree of entry is unlikely, the examine contends that E2EE needs to be efficient even below such circumstances. Some notable vulnerabilities are:
- Unauthenticated Key Materials: Each Sync and pCloud have been discovered to have unauthenticated encryption keys, permitting attackers to insert their very own keys, decrypt information, and entry delicate knowledge.
- Public key substitution: Sync and Tresorit have been weak to unauthorised key alternative throughout file sharing, permitting attackers to intercept or change information.
- Protocol downgrade assault: The protocols utilized by Seafile allowed for a downgrade to weaker encryption requirements, making it extra weak to brute-force assaults.
Different dangers have been recognized in Icedrive and Seafile, which used unauthenticated encryption modes, permitting attackers to change and corrupt file contents. Moreover, vulnerabilities within the “chunking” course of throughout a number of companies might compromise file integrity by permitting attackers to reorder, take away, or alter file items.
Supplier supplies responses and subsequent steps
In April 2024, the researchers shared their findings with Sync, pCloud, Seafile, and Icedrive, adopted by Tresorit in September. Responses various, with Sync and pCloud but to reply, Seafile making ready to patch the protocol downgrade subject, and Icedrive declining to handle the considerations. Tresorit acknowledged receipt however declined to talk extra.
In keeping with a latest BleepingComputer report, Sync indicated that they’re “fast-tracking fixes” and have already resolved a number of the documented knowledge leak points with file-sharing hyperlinks.
ETH Zurich researchers consider these safety flaws are widespread throughout many E2EE cloud storage platforms, underscoring the necessity for additional investigation and a standardised protocol to make sure safe encryption within the trade.
(Picture by Roman)
See additionally: Why firms proceed to wrestle with cloud visibility – and code vulnerabilities
Need to be taught extra about cybersecurity and the cloud from trade leaders? Try Cyber Safety & Cloud Expo going down in Amsterdam, California, and London. Discover different upcoming enterprise know-how occasions and webinars powered by TechForge right here.