“Mega – The most trusted, best-protected cloud storage” – this is how New Zealand-based cloud provider Mega advertises its services. Like many other providers of cloud solutions, Mega also promises that not even the company itself can view or manipulate any data saved by customers. This mostly isn’t about whether customers trust the providers themselves but about the fact that large IT platforms like Mega – who have millions of customers and billions of saved files – become targets for actors such as security services, governments or people with criminal intent. “When talking about cloud providers, you can never rule out that their systems are compromised,” says Professor Kenneth Paterson. “It’s also a regular occurence for providers to work with governmental organisations.” This makes it all the more important that the customer is the only one who can decrypt their cloud data.
ETH cryptography experts Matilda Backendal, Miro Haller and Professor Paterson tested Mega’s encryption and discovered serious security holes. These vulnerabilities would allow the provider – or third parties who manage to access to Mega’s servers – to decrypt or alter customer data or to surreptitiously place files on customers’ storage drives.
Fundamental weakness: one key for everything
Paterson and his team analysed the source code of Mega’s software and unearthed several critical security issues. In order to test the effectiveness of potential attacks, they partially recreated Mega’s platform and tried to forcibly gain access to their personal accounts.
When a user accesses their Mega account, their private RSA key – which is used to exchange data – can be stolen within a maximum of 512 login attempts by hijacking the session ID. An additional manipulation of the Mega software program on the computer of the victim can force their user account to constantly log in automatically. This shortens the time needed to fully reveal the key to just a few minutes.
Since the keys for file encryption are protected in a similar way, the attackers can use the knowledge gleaned from the first attack to reveal all additional keys.
Stealing, manipulating or uploading data
At this point in the scheme, attackers would have complete access to unencrypted user data and would be able to copy or manipulate their victim’s files. Another method of attack would even allow them to sneak files onto the cloud drive of the victim. This would allow hackers to deceive or blackmail victims by putting controversial, illegal or compomising material in their cloud storage. The victim would be powerless to prove that they were not the ones who uploaded the offending material.
The ETH research team made their findings available to Mega. “We also presented Mega with a three-step plan that shows how these security holes can be closed,” explains Paterson. The first phase of the team’s plan consists of immediate measures that protect users from the most severe vulnerabilities. The second phase entails more extensive changes to deter attackers more efficiently without the need for more costly interventions such as re-encrypting data. The third phase contains long-term targets for re-designing the cryptographic architecture of the service. “The company has decided to react in ways that are different than what we suggested,” says Paterson. Mega’s measures have the ability to prevent the initial attack on the RSA key, however.