To make it easier to share huge files, as well as ensure the safety of important data, businesses are making increasing use of the cloud – storing their computer files on remote servers.
But two researchers at Johns Hopkins have questioned the security of the growing number of companies now offering cloud storage services.
Lead author Duane Wilson, a doctoral student, and his faculty adviser, Giuseppe Ateniese, an associate professor of engineering, say they have found a flaw that could allow the company storing the supposed secure data to view it.
When a company stores its secure data in the cloud, they typically are promised that the information will remain in a “zero-knowledge environment,” meaning that no one except those who have permission to access the data can see it.
Encryption is supposed to protect the data. The researchers say it doesn't always work that way.
“Our research shows that as long as the data is not shared with others, its confidentiality will be preserved, as the providers claim,” Wilson said. “However, whenever data is shared with another recipient through the cloud storage service, the providers are able to access their customers’ files and other data.”
In other words, the company that is holding and protecting the data is also able to view it. This weakness, the researchers say, calls into question the privacy protection these digital warehouses claim to offer.
In cloud-based storage, a trusted third party acts as sort of a middleman to verify the identity of the parties accessing the data, making sure they are cleared for access.
After completing an authentication process, the middleman issues “keys” that can unscramble and later recode the data. But Wilson says he found that many cloud storage companies were not turning to an outside third-party, but carrying out the verification function in-house.
That might not be a problem in a perfect world, where all employees are committed to maintaining the clients' confidentiality. Unfortunately, says Wilson, it's not a perfect world.
“The storage businesses could use a phony ‘key’ to decrypt and view the private information, then re-encrypt it before sending it on to its intended recipient,” Wilson said.
The researchers say they substantiated the security flaw by reverse engineering a typical cloud storage system. They also carried out a network traffic analysis to study the type of communication that occurs between a secure cloud storage provider and its customers.
They stress that they have no evidence that any cloud storage provider is illegally accessing their customer's confidential data, but say it is important that consumers and businesses using these services understand the potential risks.
The study focused on storage providers that promise their clients complete confidentiality. File-sharing services commonly used by consumers, like Dropbox and Google Drive, don't guarantee privacy and consumers shouldn't assume they have it.
The flaw is easily fixable, Wilson says, if storage companies are required to actually use third-party companies to serve as the file-sharing middleman, instead of performing the function in-house.
Still dealing with Heartbleed
The revelations from the Johns Hopkins researchers come at a time when security experts are still scrambling to deal with the fallout from the recently-revealed Heartbleed flaw.
“Everyone should worry about Heartbleed and should change passwords,” said Guy Hembroff, associate professor and chair of the Computer Network and System Administration program at Michigan Technological University. “An average user logging into their Amazon account may be logging into a server that was compromised.”
If that happened to be the case, he says their username, password, and account information – such as address and credit-card information -- would be in the memory of the server where the vulnerability is targeted.
“Therefore changing passwords of these accounts is important,” he said.