A team of cryptographers from ETH Zurich has extensively tested the cloud service from the New Zealand provider Mega. Security gaps were discovered that allow the provider to decrypt and manipulate customer data.
It is not primarily a question of whether customers trust the provider, but also that large IT service providers with millions of customers and billions of stored files, such as Mega, are inevitably targeted by secret services, governments or people with criminals intentions advised. “You can’t rule out the possibility of a large cloud provider having its systems compromised,” says ETH Professor Kenneth Paterson. “In addition, it also happens again and again that providers work together with government organizations.” It is all the more important that only customers can decrypt their cloud data.
ETH cryptography expert Matilda Backendal and her colleague Miro Haller tested Mega’s encryption together with Paterson and found serious security gaps. These enable the provider – or third parties who gain access to Mega’s servers – to decrypt customer data, to change it or to place specific data on the customer’s memory.
Basic vulnerability: One key for everything
Paterson and his team analyzed the source code of the New Zealand software and found several critical vulnerabilities. To test the effectiveness of the attacks, they partially recreated the New Zealanders’ platform and attempted to attack the researchers’ personal accounts.
If a user accesses their mega account, the user’s private RSA key can be stolen within a maximum of 512 login processes by manipulating the session ID. This key is used to exchange data. Additional manipulation of the mega software on the victim’s computer can cause the affected user account to automatically log in again and again. This shortens the time it takes for the key to be fully disclosed to just a few minutes.
Since the keys for file encryption, among other things, are protected in the same way, the attackers can also disclose all other keys based on the knowledge from the first attack.
Steal data, manipulate it or upload it yourself
Now the attackers have complete access to the unencrypted user data and can copy and manipulate it. An additional attack variant even makes it possible to upload arbitrary data to the victim’s cloud drive. Thus, the perpetrators can scam or blackmail the victim by inserting controversial, illegal, or compromising material into their file storage. The victim, in turn, has no chance to prove that they did not upload the material themselves.
The ETH researchers have disclosed the vulnerabilities found to Mega. “In addition, we provided Mega with a three-step action plan that outlines how the vulnerabilities could be remedied,” Paterson said. In a first phase, the team recommended a set of immediate actions that protect users from the most serious security issues.
The second phase provides more extensive changes to mitigate attacks more efficiently without making costly changes like data re-encryption. The third phase includes long-term goals for the redesign of the cryptographic architecture. “However, the company took different actions than those we proposed,” says Paterson. However, they are able to prevent the first attack – i.e. the one on the RSA key.