Researchers at ETH Zurich have found vital safety vulnerabilities in a number of extensively used end-to-end encrypted (E2EE) cloud storage providers.
Cryptographic flaws may enable attackers to bypass encryption, compromise file confidentiality, alter knowledge, and even inject unauthorized information into customers’ storage.
The examine analyzed 5 E2EE cloud storage suppliers (Sync, pCloud, Seafile, Icedrive and Tresorit) that collectively serve roughly 22 million customers worldwide. Every of the providers guarantees sturdy encryption to guard information from unauthorized entry, even by the service supplier.
Nevertheless, researchers Jonas Hofmann and Kien Tuong Truong discovered that 4 of the 5 have critical flaws that might weaken the protections. Introduced on the ACM Convention on Laptop and Communications Safety (CCS), their findings spotlight potential gaps in E2EE safety guarantees made by distributors.
Tresorit stands out however just isn’t excellent
Of the providers examined, Tresorit demonstrated the fewest vulnerabilities, with solely minor dangers of metadata manipulation and inauthentic keys throughout file sharing. Though much less extreme, these points may nonetheless pose dangers in sure situations. In distinction, the opposite 4 providers exhibited extra substantial safety breaches, growing the possibilities of knowledge publicity or manipulation.
Key vulnerabilities and lifelike threats to E2EE
To guage the safety robustness of E2EE, the researchers examined ten completely different assault situations, assuming that the attacker had already gained management over a cloud server with permissions to learn, modify or inject knowledge. Though this degree of entry is unlikely, the examine argues that E2EE ought to be efficient even beneath such circumstances. Some notable vulnerabilities are:
- Unauthenticated Key Materials: Each Sync and pCloud had been discovered to have unauthenticated encryption keys, permitting attackers to insert their very own keys, decrypt information, and entry delicate knowledge.
- Public key alternative: Sync and Tresorit had been susceptible to unauthorized key alternative throughout file sharing, permitting attackers to intercept or change information.
- Protocol Downgrade Assault: The protocols utilized by Seafile allowed a downgrade to weaker encryption requirements, making it extra susceptible to brute drive assaults.
Different dangers had been recognized in Icedrive and Seafile, which used unauthenticated encryption modes, permitting attackers to change and corrupt file contents. Moreover, vulnerabilities within the “fragmentation” course of in a number of providers may compromise file integrity by permitting attackers to reorder, delete, or alter parts of information.
Supplier gives solutions and subsequent steps
In April 2024, the researchers shared their findings with Sync, pCloud, Seafile, and Icedrive, adopted by Tresorit in September. Responses diverse: Sync and pCloud have but to reply, Seafile is getting ready to repair the protocol downgrade problem, and Icedrive refuses to handle considerations. Tresorit acknowledged receipt however declined to talk additional.
Based on a current beepcomputer Within the report, Sync indicated that they’re “fast fixes” and have already resolved among the documented knowledge leak issues with file sharing hyperlinks.
ETH Zurich researchers consider these safety flaws are frequent throughout many E2EE cloud storage platforms, underscoring the necessity for extra analysis and a standardized protocol to make sure safe encryption within the trade.
(Picture by Roman)
See additionally: Why enterprises proceed to battle with cloud visibility and code vulnerabilities
Wish to study extra about cybersecurity and cloud from trade leaders? Confirm Cyber Safety and Cloud Expo which can happen in Amsterdam, California and London. Discover different upcoming enterprise know-how occasions and webinars powered by TechForge right here.
