Researchers Discover Flaws In 5 End-to-End Encrypted Cloud Services (scworld.com)
(Saturday October 26, 2024 @05:34PM (EditorDavid)
from the cloud-strikes dept.)
- Reference: 0175328357
- News link: https://it.slashdot.org/story/24/10/26/1833203/researchers-discover-flaws-in-5-end-to-end-encrypted-cloud-services
- Source link: https://www.scworld.com/news/researchers-discover-flaws-in-5-end-to-end-encrypted-cloud-services
SC World reports:
> Several major end-to-end encrypted cloud storage services contain cryptographic flaws that could lead to loss of confidentiality, file tampering, file injection and more, [1]researchers from ETH Zurich said in a paper published this month .
>
> The five cloud services studied offer end-to-end encryption (E2EE), intended to ensure files can not be read or edited by anyone other than the uploader, meaning not even the cloud storage provider can access the files. However, ETH Zurich researchers Jonas Hofmann and Kien Tuong Truong, who presented their findings at the ACM Conference on Computer and Communications Security (CCS) last week, found serious flaws in four out of the five services that could effectively bypass the security benefits provided by E2EE by enabling an attacker who managed to compromise a cloud server to access, tamper with or inject files.
>
> The E2EE cloud storage services studied were Sync, pCloud, Seafile, Icedrive and Tresorit, which have a collective total of about 22 million users. Tresorit had the fewest vulnerabilities, which could enable some metadata tampering and use of non-authentic keys when sharing files. The other four services were found to have more severe flaws posing a greater risk to file confidentiality and integrity.
BleepingComputer reports that Sync is "fast-tracking fixes," while Seafile "promised to patch the protocol downgrade problem on a future upgrade." And SC World does note that all 10 of the tested exploits "would require the attacker to have already gained control of a server with the ability to read, modify and inject data.
"The authors wrote that they consider this to be a realistic threat model for E2EE services, as these services are meant to protect files even if such a compromise was to occur."
Thanks to Slashdot reader [2]spatwei for sharing the article.
[1] https://brokencloudstorage.info/
[2] https://www.slashdot.org/~spatwei
> Several major end-to-end encrypted cloud storage services contain cryptographic flaws that could lead to loss of confidentiality, file tampering, file injection and more, [1]researchers from ETH Zurich said in a paper published this month .
>
> The five cloud services studied offer end-to-end encryption (E2EE), intended to ensure files can not be read or edited by anyone other than the uploader, meaning not even the cloud storage provider can access the files. However, ETH Zurich researchers Jonas Hofmann and Kien Tuong Truong, who presented their findings at the ACM Conference on Computer and Communications Security (CCS) last week, found serious flaws in four out of the five services that could effectively bypass the security benefits provided by E2EE by enabling an attacker who managed to compromise a cloud server to access, tamper with or inject files.
>
> The E2EE cloud storage services studied were Sync, pCloud, Seafile, Icedrive and Tresorit, which have a collective total of about 22 million users. Tresorit had the fewest vulnerabilities, which could enable some metadata tampering and use of non-authentic keys when sharing files. The other four services were found to have more severe flaws posing a greater risk to file confidentiality and integrity.
BleepingComputer reports that Sync is "fast-tracking fixes," while Seafile "promised to patch the protocol downgrade problem on a future upgrade." And SC World does note that all 10 of the tested exploits "would require the attacker to have already gained control of a server with the ability to read, modify and inject data.
"The authors wrote that they consider this to be a realistic threat model for E2EE services, as these services are meant to protect files even if such a compromise was to occur."
Thanks to Slashdot reader [2]spatwei for sharing the article.
[1] https://brokencloudstorage.info/
[2] https://www.slashdot.org/~spatwei
Maybe do not trust cloud operators? (Score:2)
They have proven time and again that they are not trustworthy. This is just one more example. At the very least get the encryption from somebody else.
Re: (Score:2)
One of these companies is Canadian (sync), and another is UK (icedrive). Both countries have laws around mandatory logging and data retention. Given these are only exploitable locally, it's unlikely but plausible that it's deliberate in their cases. A backdoor, if you will.
Re: (Score:2)
Only use cloud services where you do the encryption with your own tools on your end. Don't rely on their client.
That's why E2E cloud is worthless. If you don't control the client you can't trust it.