When consumers purchase premium cloud storage services that are designed to be secure, you would think that the solution you are buying is somewhat bulletproof. Researchers from John Hopkins University disagree.
A research paper entitled “To Share or Not to Share” was authored by Duane C. Wilson and Giuseppe Ateniese. The paper breaks down the myth of secure cloud storage and how hackers can exploit these services to gain access to privileged materials. How does the exploit work?
When you share a file using a secure cloud storage provider, you are essentially relying on the service to broker the authentication much like a middle-man. Wilson mentions, “When this authentication process is finished, the third party issues ‘keys’ that can unscramble and later re-encode the data to restore its confidentiality.”
Wilson further explains, “Storage businesses were each operating as their own ‘trusted third party,’ meaning they could easily issue fake identity credentials to people using the service. The storage businesses could use a phony ‘key’ to decrypt and view the private information, then re-encrypt it before sending it on to its intended recipient.”
The paper notes that it conducted its tests on Wuala, Spider Oak and Tersorit. These services state that client data is completely confidential. According the JHU researchers, using a “Middle-man” attack could theoretically allow someone to create phony keys thus allowing a third party to access the secure data.
To formulate the attack, Wilson and Ateniese focused on reverse engineering each of the storage providers processes. The team of security researchers then focused on inspecting packets between the service and the end users.
Ateniese commented on the flaw by saying, “Although we have no evidence that any secure cloud storage provider is accessing their customers’ private information, we wanted to get the word out that this could easily occur.”