Researchers from ETH Zurich have uncovered significant security vulnerabilities in a number of extensively used end-to-end encrypted (E2EE) cloud storage providers.
The cryptographic flaws may enable attackers to bypass encryption, compromise file confidentiality, tamper with information, and even inject unauthorised recordsdata into customers’ storage.
The research analysed 5 E2EE cloud storage suppliers—Sync, pCloud, Seafile, Icedrive, and Tresorit—which collectively serve an estimated 22 million customers worldwide. Every of the providers guarantees strong encryption to safeguard recordsdata from unauthorised entry, even by the service supplier.
Nonetheless, researchers Jonas Hofmann and Kien Tuong Truong found that 4 of the 5 have extreme flaws which may weaken protections. Offered on the ACM Convention on Pc and Communications Safety (CCS), their findings spotlight potential gaps within the E2EE safety guarantees made by suppliers.
Tresorit stands out however isn’t flawless
Of the providers examined, Tresorit demonstrated the fewest vulnerabilities, with solely minor dangers of metadata tampering and non-authentic keys throughout file sharing. Though much less extreme, these points may nonetheless pose dangers in sure eventualities. In distinction, the opposite 4 providers exhibited extra substantial safety gaps, growing the possibilities of information publicity or tampering.
Key vulnerabilities and reasonable threats to E2EE
To guage the energy of E2EE safety, researchers examined ten completely different assault eventualities, assuming the attacker had already gained management over a cloud server with permissions to learn, modify, or inject information. Although this degree of entry is unlikely, the research contends that E2EE ought to be efficient even underneath such situations. Some notable vulnerabilities are:
- Unauthenticated Key Materials: Each Sync and pCloud had been discovered to have unauthenticated encryption keys, permitting attackers to insert their very own keys, decrypt recordsdata, and entry delicate information.
- Public key substitution: Sync and Tresorit had been weak to unauthorised key substitute throughout file sharing, permitting attackers to intercept or change recordsdata.
- Protocol downgrade assault: The protocols utilized by Seafile allowed for a downgrade to weaker encryption requirements, making it extra weak to brute-force assaults.
Different dangers had been recognized in Icedrive and Seafile, which used unauthenticated encryption modes, permitting attackers to switch and corrupt file contents. Moreover, vulnerabilities within the “chunking” course of throughout a number of providers may compromise file integrity by permitting attackers to reorder, take away, or alter file items.
Supplier supplies responses and subsequent steps
In April 2024, the researchers shared their findings with Sync, pCloud, Seafile, and Icedrive, adopted by Tresorit in September. Responses diverse, with Sync and pCloud but to reply, Seafile making ready to patch the protocol downgrade concern, and Icedrive declining to deal with the issues. Tresorit acknowledged receipt however declined to talk extra.
Based on a latest BleepingComputer report, Sync indicated that they’re “fast-tracking fixes” and have already resolved a few of the documented information leak points with file-sharing hyperlinks.
ETH Zurich researchers consider these safety flaws are frequent throughout many E2EE cloud storage platforms, underscoring the necessity for additional investigation and a standardised protocol to make sure safe encryption within the business.
(Picture by Roman)
See additionally: Why companies continue to struggle with cloud visibility – and code vulnerabilities
Wish to be taught extra about cybersecurity and the cloud from business leaders? Take a look at Cyber Security & Cloud Expo going down in Amsterdam, California, and London. Discover different upcoming enterprise know-how occasions and webinars powered by TechForge here.
Source link
#Safety #gaps #encrypted #cloud #storage #providers
Unlock the potential of cutting-edge AI options with our complete choices. As a number one supplier within the AI panorama, we harness the facility of synthetic intelligence to revolutionize industries. From machine studying and information analytics to pure language processing and laptop imaginative and prescient, our AI options are designed to reinforce effectivity and drive innovation. Discover the limitless potentialities of AI-driven insights and automation that propel your online business ahead. With a dedication to staying on the forefront of the quickly evolving AI market, we ship tailor-made options that meet your particular wants. Be part of us on the forefront of technological development, and let AI redefine the way in which you use and achieve a aggressive panorama. Embrace the long run with AI excellence, the place potentialities are limitless, and competitors is surpassed.
