There is a flaw in the way that secure cloud storage companies protect their customers’ data, said computer scientists at Johns Hopkins.
This weakness jeopardizes the privacy protection these digital warehouses offer. Whenever customers share their confidential files with a trusted friend or colleague, the storage provider could exploit the security flaw to secretly view this private data, the researchers said.
The research focused on the secure cloud storage providers that businesses are using more and more to house or back up sensitive information about intellectual property, finances, employees and customers. These storage providers claim to offer “zero-knowledge environments,” meaning their employees cannot see or access the clients’ data. These storage businesses typically assert there is a guarantee in this confidentiality because the information ends up encrypted before it uploads for cloud storage.
But the Johns Hopkins team found complete privacy could not end up guaranteed by these vendors.
“Our research shows that as long as the data is not shared with others, its confidentiality will be preserved, as the providers claim,” said Duane C. Wilson, a doctoral student in the Department of Computer Science in the university’s Whiting School of Engineering and lead author of a paper on the subject. “However, whenever data is shared with another recipient through the cloud storage service, the providers are able to access their customers’ files and other data.”
The problem, Wilson said, is privacy during file-sharing normally ends up preserved by the use of a trusted third party, a technological “middle-man” who verifies the identity of the users who wish to share files. When this authentication process finishes, this third party issues “keys” that can unscramble and later re-encode the data to restore its confidentiality.
“In the secure cloud storage providers we examined,” Wilson said, “the storage businesses were each operating as their own ‘trusted third party,’ meaning they could easily issue fake identity credentials to people using the service. The storage businesses could use a phony ‘key’ to decrypt and view the private information, then re-encrypt it before sending it on to its intended recipient.”
“As a result, whenever data is shared with another user or group of users, the storage service could perform a man-in-the-middle attack by pretending to be another user or group member,” Wilson said. “This would all happen without alerting the customers, who incorrectly believe that the cloud storage provider cannot see or access their data.”
These storage services generally do not share the details of how their technology works, so Wilson and Giuseppe Ateniese, an associate professor in the department and a senior author in the paper and Wilson’s faculty adviser, substantiated the security flaw by using a combination of reverse engineering and network traffic analysis to study the type of communication that occurs between a secure cloud storage provider and its customers.
The researchers pointed out their study focused only on three storage providers that claimed their customers’ data would remain completely confidential. Other file-sharing services, such as Dropbox and Google Drive, make no pledge of privacy. Instead, they say that after a user’s data uploads, it ends up encrypted with keys owned by the file-sharing service.
To solve the security flaw, the researchers recommend the arrangements between customers and secure storage providers end up revised so an independent third party serves as the file-sharing “middle-man,” instead of the storage company itself.
“Although we have no evidence that any secure cloud storage provider is accessing their customers’ private information, we wanted to get the word out that this could easily occur,” said Ateniese, who supervised the research. “It’s like discovering that your neighbors left their door unlocked. Maybe no one has stolen anything from the house yet, but don’t you think they’d like to know that it would be simple for thieves to get inside?”
Click here to view the technical paper.