Backup Security: How Safe Is Your Backup?

Safe Backup Cover

Backup Security: How Safe Is Your Backup? And How to Make Sure It Actually Backs You Up.

The airplane is slowly taxiing on the runway to the takeoff. You look at the airport through the window, relax in the seat and place your laptop in the forward compartment. The flight attendant gently taps your shoulder to check whether you are buckled up. The audio speaker plays a message asking all passengers to turn their electronic devices off. You reach into your pocket to switch on airplane mode on your office smartphone… That’s when you realize you forgot it in the restroom at the gate.

Instead of panicking you ask your aisle neighbor to use her tablet. You log into the Cloud device management system of your smartphone vendor. Let it be “Find My iPhone” in this case. First you turn on the ‘Lost mode’. This is just precautionary, not a necessary step. Your phone is always protected by a passcode anyway.

Then you type in the phone number of an old Nokia feature phone you always carry around ‘just in case’ and a funny ‘Please return’ message to whoever found your expensive and important ‘other’ phone. They actually might be interested in calling, if they’re good samaritans or care about Karma, depending on religious beliefs, of course.

After completing all these steps you dial up a colleague, who’s going to pick you up at the destination airport, and ask her to grab a temporary replacement smartphone from an IT guy in the local branch office of your company.

After arriving at the destination airport you download the backup from the lost phone into a temporary replacement device. It’s as easy as several clicks. You enter your password to the cloud vendor like Google Drive or iCloud. Voilá! All your emails, documents, calendars and reminders are here, while your actual device awaits for you at the lost and found shelf of your home airport.

Isn’t that a just perfect case of technology bringing true convenience and business effectiveness? Yes, but convenience usually comes at the expense of security. History of hacking proves that backup was a backdoor into various online services and platforms, including WhatsApp, iCloud and various others. Pretending to be the owner of the lost device who is now restoring it, hackers extract your valuable data from the cloud or from your encrypted hard drive.

Does this mean you shouldn’t back up your stuff? Definitely not. Properly protected and scheduled backups minimize the need for making other, unprotected, records. Unprotected records might create even bigger vulnerabilities in the long run. Therefore, if made properly and timely, backups actually enhance your digital security.

Backing Up on the Cloud?

Cloud backup solutions are the most convenient modern type of backup. The airport restroom story above is an example. Many platform and device vendors like Google, Apple, Microsoft, Samsung or HTC offer freemium cloud backup. Major Linux vendor Ubuntu once offered Ubuntu One service.

In a freemium cloud backup solution the information from your device is backed up automatically to the vendor-owned cloud. After reaching a certain limit (usually measured by gigabytes of the available cloud storage) you start receiving offers to upgrade to a commercial cloud backup plan.

The vulnerabilities of cloud backup include channel, server and credentials. In order to ensure a solid security of your backup all three elements should be considered. Failing at least one element, will very likely lead to a security compromise regardless of the others.

Getting Vulnerabilities Covered

Channel. It’s obvious that your channel must be encrypted. Luckily, it’s 2017 and most channels are encrypted by default. However, the Heartbleed story teaches us not to take any channel encryption for granted. If you’re using an older version of Android or iOS (a bad idea per se), then take some time to scroll via the Settings of your device and make sure the backup encryption is actually turned on.

Heartbleed Logo

Heartbleed OpenSSL bug became so favored by the commercial cybersecurity community, that it gots its own logo developed by Finland-based fuzz testing firm. Heartbleed is a convenient posterchild for discrediting open source cybersecurity solutions by mainstream cybersec businesses. It’s a proof of ‘better pay and play it safe’ argument. Image by Codenomicon with copyright clearance performed by Wikimedia.

Server. The convenience of a cloud backup is ensured by constant communication between your device and the server of your cloud provider. The essence of this vulnerability is that your device might be communicating with a server, which is actually not the one controlled by your cloud provider.

Probably the best example of a man-in-the-middle (MITM) attack affecting the user — server relationship is 2011 attack on Gmail in Iran. It got coverage from the major cybersecurity organizations, including Electronic Frontier Foundation.

Remedies against MITM attacks vary. Usually the best strategy for the end user would be using common sense and critical thinking. For example, the Iranian Gmail hack was exposed by an attentive customer, who was using Google Chrome. In 2011 this browser was the first one to start using hardcoded website credentials for Google’s own services, including Gmail. Google calls this built-in certificate pinning’.

Finally, access credentials are the most obvious weakness of any system. They can be compromised by the customer herself. This risk can be mitigated by the daily password maintenance and by not using dubious password managers like the ones built into browsers (see our previous blog post on that).

However, the cloud nature adds additional vulnerability, which does not depend on how well the customer keeps her passwords. This brings us to the concept of ‘zero knowledge’.

Zero Knowledge

All cloud based encryption services can be divided into two groups: zero knowledge and not zero knowledge, depending on whether they store your user authentication credentials inside their system. A 2011 blogpost by secretive author G.F. of the Economist finely explains the difference between the two groups using a gated housing communities analogy.

In a not zero knowledge community there is a management office and a guard that meets the residents at the gate, checks their IDs, walks them to their apartment and then unlocks the door using the master key. In this community everything depends on the integrity and professionalism of the guard and the management office. However, there is a tradeoff. The residents don’t need to worry about their keys. They just need to present a valid ID at the entrance.

Zero knowledge community is more like a private banking vault. The management office lets you bring your own lock and install it. There might be as well an additional ID check at the entrance. However, it’s optional and at the  end of this scenario, everything depends on whether you have your private key. If you lose it, the door to your apartment stays locked forever.

 

Zero Knowledge Keep

Zero knowledge cave is a teacher’s pet of many сryptography professors. In 1990 Jean-Jacques Quisquater and Louis Guillou authored a paper in Advanced Cryptology titled ‘How to Explain Zero-Knowledge Protocols to Your Children’. The paper offers simple and beautiful explanation of zero knowledge concept by referring to the tale of Ali Baba and the Forty Thieves. Diagram by Wikipedia User ‘Dake’.

Most of the mass market cloud storage services like Google Drive, iCloud, Dropbox or Microsoft OneDrive are not zero knowledge. Google Drive and Dropbox can be turned into zero knowledge by purchasing, installing and configuring a plugin like Vultr or Duplicati.

However, performing such configuration requires understanding of encryption and network administration. Most importantly, configuration of a 3rd party solution on top of your Google Drive or Dropbox, requires you trust the intermediary service which enables zero knowledge on top of your vendor’s service.

Corporate solutions like Mozy, Infinit or Zetta are not zero knowledge by default. Usually, you have to purchase it as an additional option. The boxed backup solutions that are installed inside the customer’s perimeter vary. Still, usually they can be configured to be zero knowledge. However, such solutions have their own issues.

For example, you might be a small or individual business that cannot afford to hire a CISO or a dedicated network administrator. In this case you should either risk it, by performing unguarded online syncing or play it safe via wires, which adds complexity, sync lags and requires a schedule.

But is zero knowledge worth all the fuss? In certain cases it certainly is. Zero knowledge adds an additional and complicated step to the attack on you, namely: figuring out your credentials.

Zero knowledge prevents government interference as well. Some customers might not be happy with letting whoever controls, or subpoenas their cloud provider to see their backups. These customers aren’t necessarily drug dealers or child pornographers. They might be dissidents, living under oppressive political regimes, or foreign government contractors, whose contract stipulates specific information security provisions.

Backing Up iOS

A convenient backup is a long time killer feature of Apple. TimeCapsule NAS-device and TimeMachine backup software are two great examples of hardware/software tandem, offering the benefits and the security of a closed ecosystem.

Since iTunes 2.0 and an original iPod were introduced in 2001, there was a feature to backup customers’ songs. With the arrival of iPhone in 2007 iTunes backup started to include photos, contacts and SMS messages. In 2008 Apple introduced MobileMe — the cloud service capable of making online backups among many of its functions.

MobileMe was short lived and not very popular by Apple’s scale. In 2011 it was replaced by iCloud, this time propelling Apple to the big league of the largest cloud storage vendors in the World.

Unfortunately, being the locomotive of smartphone cloud backup, Apple did not take its security seriously. Then August 2014 and the Celebgate came… The mass hacking of iCloud in 2014 was based on spearfishing, which is a targeted form of phishing. We saw spearfishing again in 2016, with the DNC hack. The hack had nothing to do with the security of Apple’s servers. Rather, it was a well-staged social engineering that successfully fooled iCloud customers.

Anyway, the iCloud 2014 hack highlighted the alternative option of direct backup to Mac. Wired backup of iOS device to a desktop or laptop via iTunes was available since the launch of iOS in 2007.

With the release of iOS 5 in 2010, Apple added wireless direct backup over WiFi to iTunes. Still, direct wired backup continues to be the preferred backup choice of old skool security paranoiacs. Or so it was, until the release of iOS 10.

iOS10

One of the major new features of iOS 10 was third party integration with Apple’s iconic voice activated assistant software Siri. Unfortunately, this great innovation came together with the backup security shortcoming as explained below. Image by Flickr user ‘iPhoneDigital’.

In Summer of 2016, Tim Cook announced a major update of iOS. Right after the public release of the software in September 2016 ElcomSoft, Russian cybersecurity firm, published a post explaining the critical vulnerability of iOS 10.

Some readers might remember ElcomSoft and its employee Dmitry Sklyarov from the notorious DEF CON arrest case of 2001. According to the Russian firm, because of security architecture mistake Apple made it 40 times easier to break the password protecting a file containing backup of iOS device in iTunes on your laptop or desktop.

Apple responded within a single day, releasing an updated version of iOS with a security patch. However, the reputational damage was already done with articles all across the major media, including Forbes.

Another hard hit on Apple backups came in February 2017, when a research team from Bitdefender discovered that authors of APT28 worm modified their software so that they now can target Macs and extract iOS backup data that’s stored on these Macs.

APT28&29 Explained

A diagram explaining APT28 techniques. Source: Joint White Paper by United States National Cybersecurity and Communications Integration Center and FBI.

To Apple’s credit — only those who do nothing, don’t make mistakes. The ecosystem created in Cupertino gives its customer convenience and continues to be quite reliable if configured properly, and if additional security layers are added on top of it.

Our reader might be interested in backing up her iOS device to the PC, not Mac. The story of Windows backup for iPhone has its own ups and downs. However, it was propelled to the next level in May of 2017, when Apple released iTunes 12 for Windows Store. Still, Windows backup of iPhone comes with three potential vulnerability avenues: those of Apple, those of Microsoft and those resulting from the ‘reseating’ between the two platforms.

Backing Up Android

Android ecosystem is very liberal with backups. Frankly, this does not add reliability to it. Customer can backup her system using Google’s own Android Backup Service, which until recently was limited to images, videos, Internet passwords, WiFi passwords and certain application data. In order to backup messages and extended application data, Android offers a wide variety of third party applications, either pre-installed by the phone’s vendor or downloaded from Google Play by the end customer.

In order for a third party backup application on Android to backup data of another third party application, the system requires the Android on this device to be ‘rooted’. This process allows privileged access to the Android system on the rooted device. Akin to jailbreaking on iOS rooting on Android is dangerous as root access allows bypassing many of the security features of Android architecture.

Therefore, installing third party backup applications and granting root access to it requires an application from a developer which the customer can really trust. This requires not only ethical integrity, but information security procedures of the vendor. Otherwise, even good faith application might become a problem because its code is hacked due to lax cybersecurity architecture.

One Click Root Banner

Typical online ad for rootkit application, promising rooting of customer’s device ‘with one simple click’. One of the main reasons for rooting is online piracy. Rooted smartphone can run applications with pirated content that otherwise would not have been available officially from Google Play. Image credit: Android Central

Unfortunately, not all developers meet these standards. In their turn, Google is quite relaxed with regards to application approval for its Play Store. As a consequence, Android end users willfully install numerous trojans and other malicious software every day without knowing what they’re actually doing.

The most notorious recent case was Android.Spy.277.origin trojan in 2016. In order to bypass Google’s security procedures, most malware requires rooting and installation of APK from the source other than Google Play. Android.Spy.277.origin is different. It can be downloaded from Google Play being integrated with legitimate and sometimes even useful applications, like utilities, photo editing and animated wallpaper apps.

Among other instances when malware was admitted to Google Play is the Mapin troian hidden inside a bogus version of popular Android game Plants v. Zombies. Another illustrative example is Brain Test. This app pretends to test customer’s intellectual abilities while actually being ‘loader’ — a type of malware, that is a gateway for malicious software to travel inside your system.

BrainTest-Google-Play-Store

Brain Test Android app landing page on Google Play was cute. Not so cute was its code, aimed at bypassing Google Bouncer — software performing automated security screening for Google Play. Screenshot by CheckPoint Software Technologies.

Therefore, the bottomline with Android: try using Google’s official backup solutions as much as possible; avoid rooting and installing apps not from Google Play; be prudent and diligent with the third party applications you install — sometimes an SMS backup or a night with a free movie, might end up being a credit history nightmare.

How Does Hideez Help

Hideez offers encrypted Bluetooth syncing of passwords between your devices, without cloud or even an Internet connection involved. This minimizes avenues of attack to either remote hacking of your device or to wiretapping Bluetooth connection locally with subsequent cryptanalysis of the intercepted data to bypass encryption.

Remote hacking is always a threat and can be mitigated by two methods. The first method is common sense, in cases of attacks like spearfishing. The second method is a hiqh quality firewall for IP monitoring and shielding from attacks involving remote command and control center.

Wiretapping requires substantial resources and commitment on behalf of the attacking party. If the value of your private or business information justifies wiretapping, then you should have a physical security service. It would ideally be adjusted as a daily routine with monitoring personnel, who should ensure any wiretap attempts are detected as early as possible and meet the adequate response.

Additionally, Hideez offers content encryption via its Media Vault. Such encryption will require the attacking party to take additional costly steps to extract the valuable information from your backup. Everybody can be hacked. Hideez is only making it more costly and time consuming task for the adversaries of our clients.

Author: Gennadiy Kornev

Marketing and Product Advisor of Hideez Technology, content distribution systems architect, project manager, tatko

No Comments

Leave a Comment