Fraunhofer Institute finds security vulnerabilites in cloud storage services
The Fraunhofer Institute for Secure Information Technologoy (SIT) has tested seven cloud storage service providers and published its results in a freely available report. The authors of the report found vulnerabilities affecting registration and login, encryption and shared access to data for several of the services.
The study looked at CloudMe, CrashPlan, Dropbox, Mozy, TeamDrive, Ubuntu One and Wuala. Each of these services can be accessed directly by means of client software installed on a user's system; the researchers did not look at services such as Amazon's S3 which are only accessible via an API. In response to enquiries by The H's associates at heise Security, a spokesperson confirmed that a follow-up study to look at other major providers is being planned.
The functions examined by Fraunhofer were copying, backup, synchronisation and sharing. Only TeamDrive and Wuala offer all four of these features. CrashPlan and Mozy only offer a backup service – a service that is not offered by CloudMe, Dropbox or Ubuntu One.
The worst performer with respect to the security factors tested was CloudMe. It does not encrypt data either before or during data transfer. The researchers also criticise CrashPlan, TeamDrive and Wuala for using their own unpublished transport encryption protocol rather than the SSL/TLS standard.
CloudMe, Dropbox and Ubuntu One also lost marks for not using client-side encryption, meaning that the service provider could read stored data. Wuala does offer this feature, but the deterministic encryption procedure used could enable the provider to recognise duplicate files.
The study also dedicates a chapter to legal issues. The authors note that the US Patriot Act means that data stored with US companies does not enjoy the same level of data protection as data stored in the European Union. Of the companies studied, only CloudMe (Sweden), TeamDrive (Germany) and Wuala (Switzerland) fall outside the jurisdiction of this legislation.