Some cloud storage providers offering end-to-end encryption (E2EE) are mostly operating a surgery ecosystem which could, successful very realistic theory, let threat actors to tamper pinch nan files successful a measurement that should not beryllium possible, experts person claimed.
In an in-depth analysis, precocious published connected nan brokencloudstorage.info website, cybersecurity researchers Jonas Hofmann and Kien Tuong Truong from ETF Zurich noted if a threat character compromises a institution server, they tin “inject files, tamper pinch record data, and moreover summation nonstop entree to plaintext."
During their research, nan 2 experts analyzed 5 awesome providers successful nan section - Sync, pCloud, Icedrive, Seafile, and Tresorit, concluding, “many of our attacks impact aggregate providers successful nan aforesaid way, revealing communal nonaccomplishment patterns successful independent cryptographic designs."
Nation-state targets
On Sync and pCloud, a compromised server could beryllium abused to break nan confidentiality of uploaded files, inject files, and tamper pinch their content, while for Seafile specified a server could beryllium utilized to speed-up brute-force attacks, inject files, and tamper pinch nan content.
For Icedrive, hackers could usage a compromised server to break nan integrity of uploaded files, inject files, and tamper pinch their content, while for Tresorid, a surgery server could beryllium utilized to coming non-authentic keys, erstwhile sharing files. Crooks would besides beryllium capable to tamper pinch immoderate metadata successful nan storage.
The researchers accent that this doesn’t mean that nan work providers are malicious, but that these flaws make them a awesome target for threat actors. More importantly - nation-state threat actors. They besides added that compromising a server belonging to an E2EE unreality retention supplier isn’t arsenic far-fetched arsenic it whitethorn look astatine first.
In fact, they reason it’s nan “most realistic” adversary exemplary for E2EE unreality storage.
The mostly of nan work providers mentioned successful nan study - Sync, Seafile, and Tresorit, were said to person acknowledged nan report. Icedrive is yet to reside nan issue, while location are nary reports for pCloud conscionable yet.
Via The Hacker News
More from TechRadar Pro
- Proton's encrypted unreality retention is going mobile
- Here's a database of nan best firewalls today
- These are nan best endpoint protection tools correct now