Top 5 Encryption Threats You Need To Know

Stolen Private Keys, Supply Chain Attacks, Quantum Computing and More Put Encryption at Risk

Encryption is a powerful tool to protect your sensitive data from unwanted eyes. Aside from safeguarding personally identifiable information, which could be used for identity theft or to gather financial information, encryption guards government secrets. Although encryption is a critical tool to protect secretive data, it’s still susceptible to cyber attacks.

Historians suspect the start of encryption can be traced back to the beginning of writing. Since its establishment, encryption has transformed from archaic cave designs into intricate and sophisticated methods to secure data on the web. Even from the start, there have always been threats to encryption. Yet, encryption methods have continued to overcome advancements and evolved to maintain privacy.

In 2022, more than 4,100 publicly disclosed data breaches occurred. However, this figure hardly expresses the severity of the data breaches. In one instance, a data breach exposed $39 million of individuals’ private data. What’s more? Breaches are growing increasingly common.

If it all sounds scary, you’re not alone. The industry is changing to adapt and prevent breaches, but it might take time. Even so, some of the threats to encryption are years away. We’ve rounded up the top 5 encryption threats and what individuals and the industry can do to stay safe. 

What is Data Encryption? How to Efficiently Protect Your Data.

Before we jump into encryption threats, let’s define encryption. Encryption converts plaintext into incomprehensible and seemingly random code. Since the beginning of writing, cryptography techniques have been used to jumble data into indecipherable code to secure private data.

Ciphertext, which is incomprehensible text, requires a unique key to unlock readable text. This cryptographic key consists of mathematical values that both the recipient and the sender have agreed to. Though encryption might seem like an illogical jumbling of letters, it all falls back into place when you have the right key. 

Data encryption, the practice of scrambling information through cryptography, effectively protects private information. For example, suppose you’re purchasing online and want to ensure your data is hidden from cyber attackers. In this case, you’ll want to look for a small lock icon in the URL, which signifies the transaction is guarded by SSL/TLS encryption. Looking for this signal is one way to ensure that your data is securely communicated between the website and server.

The most sophisticated cryptographic keys are so intricate that it would be unlikely that a hacker would be able to decrypt the ciphertext through brute force. However, attackers have evolved and found ways to steal the encryption key or intercept the data before or after it’s been encrypted.

You see, encryption methods like SSL/TLS protect data in transit. This means a hacker could intercept the data before it’s sent out or after it’s arrived. Ultimately, encryption methods like SSL authenticate the identity of a website and prevent attackers from stealing personal data.

Encryption Threats: How to Mitigate Risks and Secure Data

With nearly every website and popular online productivity apps like Microsoft Office 365 using encryption, it’s no wonder attackers are finding ways to outmaneuver encryption methods. A Check Point Research (CPR) study uncovered that cyber attacks increased by 38% in 2022 compared to 2021. Many cyber attacks targeted collaboration tools for work-from-home environments, e-learning, and healthcare organizations. With data breaches becoming more common, we must improve the strength of our security systems. To do this, we must first understand what we’re up against.

1. Hackers Steal the Encryption Keys to Private Data

Remember the key used to unscramble encrypted text? Well, hackers have found ways to steal it. An increasingly common way for hackers to breach sensitive data is by stealing an encryption key. In one case, hackers stole encryption keys to the U.S. Treasury Department’s computer systems, likely gaining access to top officials’ email accounts. With the encryption key, hackers forged credentials and gained access to cloud-hosted Microsoft email accounts.

In the LastPass breach in late 2022, hackers leveraged data from an incident in August 2022 to target an employee. From there, hackers gathered credentials and keys to decrypt data within the cloud-based storage service.

Although methods like SSL/TLS encryption, API keys, and passwords help keep data safe, they can only protect the data if they are kept secret. No matter how complex the encryption algorithm is, cybercriminals can quickly decrypt private data if the encryption key is no longer kept secret. 

So, how do hackers steal encryption keys? One recent exploit is a Side-Channel Attack (SCAs), which analyzes a system’s pattern of memory utilization, or even the electromagnetic outputs of the device, to steal the cryptography key. Security experts warn that Side-Channel Attacks are a threat to encryption, as research shows they are used to break cryptography methods. Even the most “algorithmically robust” cryptography methods aren’t safe from Side-Channel Attacks.

But that’s only one piece of the puzzle that hackers use to steal encryption keys. Hackers are using the Wayback Machine (that nifty tool that lets you see Myspace back in 2003) to scan old files. Hackers can use past mistakes to steal today’s encrypted data even if vulnerable keys had been removed but weren’t rotated.

2. Cybercriminals Side-Step Encryption Methods

Encryption is a key building block of data security. It stands at the forefront against cyber attacks by ensuring data in motion can’t be read by cybercriminals. However, cybercriminals have uncovered loopholes in accessing encrypted data.

• Social Engineering Attacks: This includes a wide range of malicious activities conducted through human interactions. The attacker first investigates the victim to gather relevant background information, then acts to secure the victim’s trust, and ultimately collects information to access private data. This attack relies on gathered information to dodge decryption altogether. The best way to prevent this method of attack is to be hypervigilant on the internet by using multifactor authentication, deleting emails sent from suspicious sources, and maintaining the latest software updates.  
• Supply Chain Attack: Attackers prey on trusted third-party vendors who provide software or services integral to the supply chain. Criminals inject malicious code into the application, infecting app users with compromised code. To prevent this attack, employ strong code integrity policies and endpoint detection and response solutions to pinpoint and repair suspicious activities. 
• SQL Injection Attack: Attackers exploit application vulnerabilities to inject malicious SQL code, which allows them to read or modify a database. This attack exposes customer and user data, provides system administrative access to the attacker, and compromises data integrity. To prevent this method of attack, administrators should validate user-supplied input, use a parameterized query and ensure all application components are updated regularly. 

Since encryption is so successful at preventing cybercriminals from reading private data, they’ve found workarounds that don’t involve encryption. Though they’ve seen other vulnerabilities, there are steps individuals and organizations can take to prevent attacks. While some preventative measures include multi-layered solutions, others are as simple as not downloading files you can’t authenticate.

3. Law Enforcement Can Sometimes Decrypt Messages

Have you ever wondered how much of your data law enforcement can gather from your encrypted messages? A Federal Bureau of Investigation (FBI) document reports how, with legal process, they can obtain metadata and some stored messages. However, the data the FBI can gather through lawful access depends on the app, as there is little regulation.

What we know so far is that organizations have varying policies on what information they will provide to law enforcement. For example, when law enforcement provides a warrant for “all records” an organization may have on an individual, the information provided depends on the extent of user data the organization retains.

Apps like iMessage and WhatsApp, for example, store very little user message content, which may come as a shock since your message is backed up. However, the caveat is that your messages aren’t necessarily backed up through the application itself. Take WhatsApp, for example: When you back up your messages, they will be backed up to a chosen cloud service. So, if a criminal has encrypted messages from WhatsApp, law enforcement would need a search warrant for that cloud service.

However, messages on apps like Facebook Messenger and WhatsApp are secured through end-to-end encryption. As a result, only the end-user has access to the decrypted data. In this case, Facebook wouldn’t even be able to provide the government with the key to decrypt the information. Even so, some parties advocate for messaging apps not to use end-to-end encryption so that law enforcement can access messages in instances that “warrant” surveillance.

So, are my messages on apps like Facebook Messenger and WhatsApp safe?

Well, the answer to that can vary. Right now, messaging apps like iMessage and WhatsApp can only provide limited message content to law enforcement because of their data policies. There is also very little regulation on social media communication in the U.S. However, some laws limit the U.S. government’s ability to surveil individual social media messages:

• The Privacy Act limits the “collection, storage, and sharing” of a U.S. citizen’s personally identifiable information, including social media data.  
• The First Amendment protects an individual’s right to freedom of speech.
• The Fourth Amendment defends an individual from “unreasonable searches and seizures” by government officials.
• The Fourteenth Amendment guards against surveillance targeted at an individual because of their race or ethnicity. 

But many debate whether end-to-end encryption should be used on messaging apps or if law enforcement should provide a backdoor to unlock messages in warranted cases. In 2019, a U.K. proposal called the GHOST protocol would allow British law enforcement to listen to encrypted communication. The GHOST protocol stirred up trouble in an already highly contentious international debate. Cybersecurity experts and privacy advocates weighed in on the issued and warned against this GHOST protocol. Companies like Facebook and Apple signed a letter to the U.K. government, cautioning that the protocol would set a terrible precedent that could provide backdoors to encryption.

The answer to whether your encrypted messages can be read by law enforcement is convoluted and greatly depends on an app’s data retention policies. For example, with reasonable cause, U.S. law enforcement can request a search warrant to access encrypted messages. Yet, when law enforcement requests private data with a warrant, the organization can only provide the user data they’ve retained.

4. Applications May Provide Data to Nation-State Actors

In the U.S., there are 65.9 million monthly users of TikTok, spending an average of 45.8 hours daily on the app in 2022. For about 45 minutes each day, the app collects and tracks data for each user. You can thank TikTok’s algorithm for targeted content that keeps users hooked, doom-scrolling and generating A LOT of data.

So, what’s the big deal? I like the customized videos.

Well, it’s a big deal because of the amount of data the app captures about individuals and by whom. First, the app collects and stockpiles an array of data, including:

• IP address
• Network activity
• Search history  
• Approximate location information
• Message content
• Keystroke patterns
• Behavioral information
• Biometric data

Read that last line again (and again if you have to). In case you’re wondering, biometric data includes faceprints and voiceprints. At this time, we’re not exactly sure what TikTok does with biometric data. So, why does this social media app need your biometric data? Good question.

Even though we can’t say for sure what the app’s intentions are for biometric data collection, we can warn users to beware, especially considering how easy it could be for state actors to decrypt this specific data. In 2022, it was revealed that U.S. TikTok user data could be provided to employees through “approved protocols.”

Beijing-based parent company ByteDance owns TikTok. Cybersecurity experts warn users that the company’s ties to the Chinese government could be a threat. Experts caution that the app’s highly efficient algorithm could be manipulated to control what content users see and potentially sway public opinion.

But this isn’t the scariest part.

Since ByteDance is headquartered in China, they’re subject to Chinese law. This means that for whatever reason, if the Chinese government requests encrypted user data, ByteDance must comply. In fact, ByteDance doesn’t even have the right to appeal a request like this from the government. So, although many of TikTok’s privacy concerns are brushed off as tools “used for advertisements,” the reality is that the state could request and then use the data for intelligence reasons.

5. Capture Now, Decrypt Later with Quantum Computing

Since the 1970s, RSA encryption has been the standard method of cryptography to protect communication between Internet platforms. In 1994, Peter Shor published an article explaining that a quantum algorithm could one day crack RSA encryption. However, it was believed to be a concern of the future.

Although it’s still years away, quantum computers will soon be powerful enough to crack public-key encryption. Research into quantum computing hardware has significantly increased in the 2010s, gaining so much momentum that quantum hardware breakthroughs are always on the horizon. However, the advancements in quantum computing aren’t without risks.  

In May of 2022, the White House sounded alarm bells by releasing a security memo to federal agencies, warning about quantum technology’s threat to encryption. Alongside the message, the White House directed federal agencies to take an all-hands-on-deck approach to develop quantum-resistant technology. To speed up this process, the U.S. government announced that the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) would start the development of new standards to combat quantum-resistant cryptography standards.

Once quantum computers with the power to decrypt RSA become available, Internet communication as we know it will be jeopardized. Today, it would take about 300 trillion years for a traditional computer to break RSA encryption. However, experts suspect that a quantum computer with 4099 stable qubits could break RSA encryption in 10 seconds. To date, the largest qubit count of any quantum processor is the 433-qubit IBM Quantum Osprey. Even now, attackers are stealing and storing encrypted data to one day be decrypted by quantum computing power. Though advanced threat actors are stockpiling private data, industry leaders are working to secure confidential data. For example, OpenSSH created the NTRU algorithm, which they believe could combat capture now, decrypt later attacks.

Is Encrypted Data Safe?

Data encryption is a powerful method to secure private information, but it’s not completely secure against all cyber attacks. These top encryption threats jeopardize personal data from landing in the wrong hands. Nevertheless, there are ways to guard personal data. One of the most successful methods of ensuring data remains encrypted is through a multi-layered approach to data security. A layered data security approach deploys multiple controls to safeguard the most susceptible areas. Under this approach, if a single layer were breached, the entire data system wouldn’t be at risk. This risk mitigation strategy considers the present and future threats to encryption by deploying multiple security controls.