BoxCryptor vs. DropSmack: The battle to secure Dropbox

Can DropSmack malware be stopped? Michael P. Kassner asks the creators of BoxCryptor if it is up to the task of securing the Dropbox file-synchronization service.

I recently wrote about DropSmack; a potentially potent bad-guy tool that manipulates Dropbox's file-synchronization service in order to receive unauthorized command and control traffic from outside a network's perimeter. DropSmack is the creation of Jake Williams (@MalwareJake). In Jake's hands, it is a benevolent, helpful tool used to probe weak spots in a client's network.

But in the wrong hands, Jake quickly pointed out, either DropSmack or a similar software tool is an efficient way to gain a foot hold in highly-fortified corporate networks that knowingly or unknowingly employ a file-synchronization service.

That article stands out to me because it was one of the few times I was unable to offer a solution other than not use the application.

Ray of hope

As I responded to forum comments about DropSmack, I came across one titled, "This is why BoxCryptor is Available!" The member then offered a few thoughts as to how BoxCryptor might stymie DropSmack.

For some reason, BoxCryptor sounded familiar. After a bit, the fog cleared; TechRepublic ran an article about it back in February. Still, I didn't see how BoxCryptor could defeat DropSmack. With nothing to lose, and a chance to learn about BoxCryptor, I decided to ask the people at BoxCryptor what they thought about DropSmack.

What is BoxCryptor?

I first chatted with Andrea Wittek, CEO and founder of BoxCryptor; she then introduced me to Robert Freudenreich, BoxCryptor cofounder, and CTO. It didn't seem right to start with a question about DropSmack, so I asked Robert to explain BoxCryptor:

BoxCryptor is cloud-optimized encryption software made in Germany. With BoxCryptor, you can encrypt your files before uploading them to Dropbox, Google Drive, SkyDrive, Box, or any other cloud storage provider. BoxCryptor supports Windows, Mac OS X, Android, Windows 8, and iOS.

Note: It is important to remember both DropSmack and BoxCryptor work with any of the many file-synchronization services. To keep it simple, I'd like to continue using Dropbox to reference the entire group.

Next, I asked Robert why he felt BoxCryptor was needed:

I'm sure you are aware of the many serious security issues involving member data at various cloud storage providers. If you want to make sure your files are protected, you need BoxCryptor.

Robert then started to explain the intricacies of their encryption process. I quickly interrupted Robert, begging him to give me the "non-geeky" version (Follow this link to the geeky version):

BoxCryptor creates a virtual drive on your computer. When you store a file on the virtual drive, BoxCryptor encrypts the file on the fly, and stores it in your Dropbox folder. If you open a file in the BoxCryptor Drive, it is automatically decrypted. Because the key used for encryption is secured with a password, anybody who wants to decrypt and access the file has to know the correct password.

Andrea and Robert consider BoxCryptor to be "Zero-Knowledge" software. Calling something zero-knowledge seemed odd to me, so I asked Robert what they meant:

Zero-Knowledge software means we as the software developers of BoxCryptor do not have access to your keys or files. BoxCryptor is a true client-side software; both encryption and decryption are handled on your device.

Other encryption applications have made similar claims, and you the readers made it clear, assurances weren't enough, so I asked Robert for proof:

No internet connection is required to use BoxCryptor. This can be verified by monitoring the network activity of the BoxCryptor application (none if automatic update check is disabled). Additionally, the encryption algorithm is compatible to the open-source project EncFS, whose source code can be reviewed.

I was interested in something I read on the BoxCryptor website: individual files were encrypted, not containers (like what TrueCrypt uses). I asked Robert about the difference:

As you mentioned, BoxCryptor encrypts each file individually. Other applications use containers: fixed-size folders or virtual drives that retain all the files to be encrypted.

Next, Robert explained why encrypting individual files was important:

Unfortunately, containers do not play well with cloud storage, because synchronizing containers require a lot of overhead. This means:

  • Cloud-storage features like versioning cannot be used.
  • Collaboration is impossible.
  • Downloading the container on your mobile device will be time consuming.

And since BoxCryptor does not use containers, you can keep (most) features of your cloud storage provider, and use BoxCryptor on mobile devices.

I usually forget to mention the different versions of the application I'm writing about -- not this time. There are both free and pay versions of BoxCryptor. The additional features offered by the paid versions of BoxCryptor are:

  • Filename encryption: The paid versions not only encrypt the contents of a file, but even the name of the file or folder because sensitive information is often contained in the filename.
  • Multiple drives: The free version only has one BoxCryptor Drive. In the paid version you can have multiple drives at the same time (e.g. for different projects)

The next step

There's something exciting going on at BoxCryptor headquarters, but I'm not telling. I promised Robert he could:

It is exciting; we're releasing a new version -- BoxCryptor 2.0 -- in a few weeks. The current BoxCryptor application is great for individuals. But, businesses are now wanting to use cloud file-synchronization, and the current BoxCryptor software does not meet their needs. For example, exchanging passwords is a no-go for businesses. Additionally, BoxCryptor software was not meeting regulatory requirements.

To meet the additional needs, BoxCryptor 2.0 will:

  • Use a combination of RSA (4096 bit) and AES (256 bit) encryption to allow the sharing of individual files with other users and groups without having to share the password.
  • Allow policy setting, or a master key to decrypt all files from their employees when necessary.

Although the key server for BoxCryptor 2.0 is at our location, we still have neither knowledge of user passwords nor the ability to decrypt user files.

That's good news, Robert. Now that we understand BoxCryptor, I believe it's time... time to see if the DropBox BoxCryptor tag team can outsmart DropSmack.

And the winner is...

I had hoped the answer would be BoxCryptor either stops DropSmack or it doesn’t, but it’s not that simple. So I'll step aside, and let Robert explain where and when BoxCryptor will stop DropSmack:

After having a look at your article and the original slides for DropSmack, I came to the conclusion that BoxCryptor can be a deterrent for DropSmack in specific circumstances, but it is not a solution for the attack described.

BoxCryptor will not deter DropSmack:

  • If victims use BoxCryptor only for a subset of their Dropbox files. In this case, attackers can still place files containing DropSmack in the "unencrypted part" of Dropbox and execute their attack.
  • Or attackers have full access to the private laptop of the victim. When BoxCryptor is running on a machine, the encrypted files are exposed in plaintext in a virtual drive. In general, if attackers have full access to a computer, the victims have lost.

BoxCryptor will deter DropSmack:

  • If victims use BoxCryptor for all Dropbox files. They never work with unencrypted files in their Dropbox, but instead use the BoxCryptor virtual drive, meaning all files are automatically encrypted and decrypted.
  • If attackers do not have access to any of the victims' computers with BoxCryptor running nor the BoxCryptor password, they are:
    • Unable to decrypt any of the existing files and gain information from them.
    • Unable to create encrypted versions of the file containing DropSmack. BoxCryptor only allows valid encrypted files in the virtual BoxCryptor drive.

Robert summarizes:

If attackers get full (typically, remote) access to victims' computers or devices, it's difficult to further defend from this attack. BoxCryptor was not designed to prevent attacks where the victims' computers are compromised. BoxCryptor secures data against attackers attempting to access the data after it leaves your computer (employees of storage providers, attackers who hack the storage providers, etc.).

Final thoughts

There you have it. I'd give the edge to DropSmack. Still, BoxCryptor will make life a great deal more difficult for the bad guys at the computer level, and when your personal information is in transit. The obvious thing is to make sure your computers aren’t vulnerable (up-to-date, patch-wise), keeping the bad guys from getting that initial toehold on your computer.

I’d like to thank Andrea, Robert, and the team at BoxCryptor for their efforts at making the digital world more secure.


Information is my field...Writing is my passion...Coupling the two is my mission.


Michael. Is dropsmack detected currently by antivirus software?


This is the reason I am not using dropbox for a long time. I would advice checking Wuala or even better an article could be very good.


As I read the article, it sounds 100% the same as what PKWare's Viivo product operates (and the SecretSync product that is Viivo's predecessor). Has anyone seen a comparison of the two? Biggest concern I have with either product is that the "container" at the endpoint is wide-open -- no security on it other than the usual device-level access controls. In a perfect world, it would be nice to "lock up" the container/folder on the device a-la-TrueCrypt. Then when the user opens the container, the encryption/transfer engine would syncrhonize with the DropBox system.


Hehe. Thanks for this article and for mentioning my comments about boxcryptor. Great writing! I have my full dropbox content encrypted with boxcryptor. I don't want dropbox tech support being able to look into my files. Privacy is important. Again: a set of minimum rules needs to be implemented for a secure network: NAC, Encryption, GPO's, Policies, Firewalls, Antivirus, NTFS, Auditing, Limited user accounts, etc. Something like Cisco Security Agent (CSA) is definitely the best option for Dropsmack.


Excellent articles on Dropsmack and BoxCryptor. I've just read them both but still have some confusion. 1) E.g., I encrypt 90% of my files in Dropbox utilizing BoxCryptor. But, I have some folders where some friends share pictures back and forth. A criminal could put a dropsmack type file in those picture folders to gain access to my computer and eventually the network. Am I right? 2) Assuming I'm right, would running scans directly on my dropbox file via Malwarbytes, antivirus programs, etc be able to detect dropsmack-like files? 3) Yea, I know, I need to get a different dropbox for the pics I share. That's painfully obvious now.

Michael Kassner
Michael Kassner

DropSmack uses Dropbox as a free pass through perimeter defenses. Will BoxCryptor prevent that from happening?

Michael Kassner
Michael Kassner

I'll ask Jake. I suspect it is such that it would not take much to alter the signature even if it was detected.

Michael Kassner
Michael Kassner

I am not sure if Jake is looking specifically at Wuala. But, from what I read about it, Wuala is just a conduit, and DropSmack would use it the same as Dropbox.

Michael Kassner
Michael Kassner

But, I still would be susceptible to DropSmack if the bad guy could come up with a file that I would be curious to open. The big issue is how the bad guy owns the first exploited computer. If the bad guy has remote access, he can add a file to TrueCrypt while it is open, with hopes that I will open it when I was using a different computer that had TrueCrypt synced to it.

Michael Kassner
Michael Kassner

The question I have is BoxCryptor configured so that you do not enter the password each time? If it is, then you are still vulnerable if a bad guy owns your machine. From what you have said, that seems like an unlikely circumstance though.

Michael Kassner
Michael Kassner

The first question is an interesting one, and depends a great deal on what the attacker wants. If your friend is a high-value target and simpler methods have failed, this might be feasible. If there is enough intent or desire, the attackers will first compromise (gain control) of your computer. Next, the attackers will use your Dropbox share folder as a conduit for getting the file infected with DropSmack to your friend's computer. The tricky bit is getting the friend to open it and infect that computer with whatever malware the attackers need to get what they want. Another possibility is if the attackers are just looking to infect computers or enlist computers for a botnet. Placing an infected image file in your shared folder, and your friend opening the file would achieve that. The second question is iffy at best. It always depends on whether MBAM has the signature of DropSmack or the malware in question. Then it will detect it.

BoxCryptor adds to the Dropbox functionality. BoxCryptor puts files in the Dropbox folder so they can be synchronized. Another service can do the same thing (Dropsmack) without impacting the BoxCryptor process. The files won't get encrypted, but they don't need to be. The initial infection would probably be a hand modified file to get the system up an running. After that the service would manage the files.


You need to enter boxcryptor password in every login / restart. I'm wondering if windows encryption helps with Dropsmack?

Michael Kassner
Michael Kassner

The way Jake has DropSmack setup, the user would have to open the file in order to activate DropSmack. If there is a method of activating a malicious file without user intervention then we all are in big trouble.

Michael Kassner
Michael Kassner

But, you do not have to there is a config that you can check and BoxCryptor remembers the password and starts automatically. Robert pointed out that BoxCryptor or Windows encryption do little to slow down the bad guy if they own the computer. They would just wait until you logged in and then do their thing.