Researchers from ETH Zurich discovered vulnerabilities in several leading end-to-end encrypted cloud storage providers.
Cryptographic vulnerabilities could permit malicious actors to circumvent encryption, jeopardise the confidentiality of stored files, manipulate sensitive data, and even introduce unauthorized content into customers’ systems.
The analysis examined five end-to-end encrypted (E2EE) cloud storage providers: Sync, pCloud, Seafile, Icedrive, and Tresorit, serving approximately 22 million global customers combined. All companies ensure robust encryption to protect data securely from unauthorized access – including that of their own service providers.
Researchers Jonas Hofmann and Kien Tuong Truong discovered that four out of five popular privacy-enhancing technologies possess extreme vulnerabilities that could potentially undermine protective measures. Researchers presenting at the ACM Convention on Laptop and Communications Security unveiled findings that highlight vulnerabilities in the end-to-end encryption (E2EE) safeguards provided by vendors, sparking concerns about the reliability of these assurances.
Despite its strengths, Tresorit still falls short in some areas.
Among the scrutinized entities, Tresorit stood out for its remarkably low vulnerability count, with only minor concerns regarding metadata manipulation and non-validated encryption keys arising from file transmission. While less intense, these factors may still present risks in certain scenarios? In stark contrast, four companies displayed significantly broader safety vulnerabilities, dramatically increasing the likelihood of data breaches or manipulation.
What are the most significant vulnerabilities in end-to-end encryption (E2EE)? Are there any plausible scenarios where an attacker could exploit these weaknesses?
Researchers assessed the resilience of end-to-end encryption (E2EE) by analyzing ten distinct attack scenarios, presuming an attacker had already compromised a cloud server with read, write, and injection privileges. Despite being an improbable scenario, the examine argues that E2EE must remain effective in such extreme circumstances. Some notable vulnerabilities are:
- Unauthenticated key materials in Sync and pCloud have been identified, allowing malicious actors to introduce their own encryption keys, decrypted data, and access sensitive information without authentication.
- Public key substitution: Until recently, popular services Sync and Tresorit were vulnerable to unauthorized key substitution during file-sharing operations, potentially allowing attackers to intercept or alter sensitive data.
- Vulnerability in Seafile Protocols Allows Downgrade to Weaker Encryption, Enabling Brute-Force Attacks
The use of unauthenticated encryption modes in Icedrive and Seafile has been identified as a potential threat, allowing malicious actors to manipulate and compromise file integrity without being detected. Furthermore, flaws in the “chunking” process across multiple organizations can undermine file integrity by allowing attackers to manipulate, delete, or reorganize file components, potentially compromising sensitive data.
The supplier provides responses that subsequently trigger further actions.
By April 2024, researchers had published their study results, which were subsequently incorporated into the development cycles of cloud storage services like Sync, pCloud, Seafile, and Icedrive; indeed, Tresorit adapted these findings in September. As various cloud storage services navigate the complexities of online data management, key players are taking different approaches to tackle emerging challenges. Tresorit acknowledged receipt, but declined further discussion.
According to a recent report, Sync is expediting the resolution of reported issues, having already addressed several vulnerabilities related to file-sharing links.
Researchers at ETH Zurich suspect that widespread vulnerabilities in end-to-end encrypted (E2EE) cloud storage systems necessitate further scrutiny and the establishment of standardized protocols to guarantee secure encryption practices throughout industries.
