Researchers at ETH Zurich have discovered significant security vulnerabilities in various widely used end-to-end encrypted (E2EE) cloud storage services. These vulnerabilities could potentially bypass encryption, compromise file confidentiality, tamper with data, or inject unauthorized files into users’ storage.
The study focused on five E2EE cloud storage providers—Sync, pCloud, Seafile, Icedrive, and Tresorit—serving approximately 22 million users globally. While these services claim to offer robust encryption to protect files from unauthorized access, researchers Jonas Hofmann and Kien Tuong Truong found severe flaws in four out of the five providers. Their findings, presented at the ACM Conference on Computer and Communications Security (CCS), shed light on the potential gaps in E2EE security assurances provided by these services.
Among the tested services, Tresorit exhibited the fewest vulnerabilities, with minor risks related to metadata tampering and non-authentic keys during file sharing. However, these issues, although less severe, could still pose risks in certain scenarios. On the other hand, the other four services showed more significant security gaps, increasing the likelihood of data exposure or tampering.
The researchers evaluated the strength of E2EE security by testing ten different attack scenarios, assuming the attacker had control over a cloud server with permissions to read, modify, or inject data. Although this level of access is unlikely, the study emphasizes the importance of E2EE effectiveness under such conditions. Some notable vulnerabilities identified include unauthenticated key material in Sync and pCloud, public key substitution in Sync and Tresorit, and protocol downgrade attacks in Seafile.
Following the disclosure of their findings, responses from the providers varied, with Sync and pCloud yet to respond, Seafile planning to address the protocol downgrade issue, Icedrive declining to address concerns, and Tresorit acknowledging receipt without further comment. Sync has indicated that they are working on fixes to resolve documented data leak issues with file-sharing links.
The researchers believe that these security flaws are prevalent across many E2EE cloud storage platforms, highlighting the need for further investigation and a standardized protocol to ensure secure encryption in the industry.
To learn more about cybersecurity and cloud security from industry experts, consider attending the Cyber Security & Cloud Expo, scheduled to take place in Amsterdam, California, and London. Explore additional upcoming enterprise technology events and webinars powered by TechForge.
