Security

Dropbox: Convenient? Absolutely, but is it secure?

A potential security lapse and possibly misleading statements are plaguing Dropbox, a hugely popular file-syncing app. What are the issues and is concern justified?

Some statistics:

  • Currently 25 million people use Dropbox.
  • Dropbox members are spread over 175 countries.
  • On any given day, over 200 million files are saved in Dropbox.

Not bad for a service four years old. Drew Houston, co-founder and CEO points out:

"Dropbox transforms the way people create and share their life's work. Whether that's designing buildings, writing music, or raising a family, we're focused on making it effortless to have your files wherever you need them, on any computer or phone."

So, what is Dropbox?

From Dropbox:

"Dropbox is a service that lets you bring all your photos, docs, and videos anywhere, and share them easily. Any file you save to your Dropbox will automatically save to all your computers, your phone or iPad, and the Dropbox website."

Dropbox offers:

  • 2 GB of Dropbox space for free, with subscriptions up to 100 GB available.
  • Work offline. Your files are available, whether you have a connection or not.
  • Files are also available from the Dropbox website.
  • Dropbox works with Windows, Mac, Linux, iPhone, iPad, Android, and Blackberry.
  • To save time and bandwidth, Dropbox only transfers the parts of a file that change.

Dropbox also has the ability to share files with others. And, if your computer melts down, you can restore all your files from the Dropbox website.

Is there a problem?

Any one that knows me understands something. I ask questions, lots of questions. It's my grandfather's fault. I still can hear him: "How in hell can you make a good decision if you don't know the facts." Thanks to Grandpa, I pay attention if something is "up close and personal".

Warning: This is one of those times.

Two highly-skilled researchers Derek Newton and Christopher Soghoian have issues with Dropbox. Newton stumbled onto a viable attack vector and Soghoian found serious inconsistencies in the Dropbox privacy policy.

I use Dropbox. And, when security researchers I'm familiar with publically post warnings, a bomb goes off in my head. Besides, I know many people who use Dropbox.

So, like all good journalists--particularly those with grandfathers like mine--I feel obligated to gather the facts as presented by all parties. To that end, I contacted Dropbox. The following questions were answered by ChenLi Wang, Business Operations at Dropbox.

Kassner: The "How secure is Dropbox?" web page states:

"Your files are actually safer while stored in your Dropbox than on your computer in some cases. We use the same secure methods as banks and the military."

What does that mean?

Dropbox: We all have stories from our family and friends about the file that was accidentally deleted or replaced, the inadvertent coffee spill, the dropped laptop, the USB stick gone missing.

We believe that storing data in Dropbox is far safer than how many of them store data currently, and we've designed Dropbox to help users avoid the most common threats to their data.

Kassner: Derek Newton posted the following on his blog:

"If you gain access to a person's Dropbox config.db file (or just the host_id), you gain complete access to the person's Dropbox. Taking the config.db file, copying it onto another system then starting the Dropbox client immediately joins that system into the synchronization group."

I understand this requires contact (physical or remote access) with the computer. Still, if successful, a third party would have access to all the files in the Dropbox account. Do you consider this to be a problem?

Dropbox: Unfortunately, when a computer is compromised physically or by a trojan/virus, all applications and data on the computer are at risk. That said, there were things we could do to make Dropbox more resistant to attacks from someone with access to your computer, and we immediately began working on a solution.

First, we released an update to the Dropbox client software that set more restrictive permissions on the folder that stores the authentication file.

Next, about a month ago, we released to our user forums a build of the client that encrypts the entire config.db file, making user credentials much harder to steal. We will be auto-upgrading all users to this build soon; the encrypted config.db file breaks several third-party apps, so we want to give them a chance to design workarounds first.

Also, it is possible to see what computers have access to the Dropbox files by logging into the web interface and going to this link.

If a computer is not recognized, unlink it.

Kassner: Christopher Soghoian filed a complaint with the FTC. He alleged Dropbox mis-informed the public about the protection of user data. Prior to April 2011, Dropbox stated on this webpage:

"All files stored on Dropbox servers are encrypted (AES256) and are inaccessible without your account password."

After April, it changed to:

"All files stored on Dropbox servers are encrypted (AES 256)."

Would you explain why you changed this?

Dropbox: We were explaining that there are multiple safeguards on your data: that the files are stored encrypted and in addition, protected by your access credentials. However, a security professional could incorrectly infer that the encryption key comes from the user's password, so we've separated the two points for clarity.

Kassner: Soghoian also pointed out that the following quote from the same Dropbox webpage:

"Dropbox employees aren't able to access user files, and when troubleshooting an account, they only have access to file metadata (filenames, file sizes, etc. not the file contents)."

Became:

"Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata (e.g., file names and locations)."

Why did the statement change?

Dropbox: "Dropbox employees aren't able to access user files." That means that we prevent such access via access controls on our backend as well as strict policy prohibitions. That statement didn't say anything about who holds encryption keys or what mechanisms prevent access to the data. We updated our help article and security overview to be explicit about this:

"Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata (e.g., file names and locations). Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that's the rare exception, not the rule.

We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access."

Kassner: Thank you for providing your position with regards to the allegations. I have a few security questions as well.

In the iPhone Dropbox app, a four-digit passcode is required to open the application. Do you have any plans for an option that would allow more-complex pass codes?

Dropbox: Users have not requested this feature to date. The iPhone passcode is intended to protect the user's files in case the phone is lost or stolen. Users can enable a setting that will delete the Dropbox data on the phone should the wrong passcode be entered over ten times. It is not a replacement for the password on the account, which is required to link the Dropbox to the iPhone for the first time.

Kassner: There is a third party application called SecretSync that encrypts files before they are transferred to Dropbox. Would you recommend it for people that would like additional security? Would TrueCrypt be another option?

Dropbox: Yes, we have always recommended third-party encryption solutions for advanced users who are comfortable managing their own encryption keys. TrueCrypt has been the most popular option to date, but other solutions include EncFS, SecretSync, and BoxCryptor.

It's important to understand that user-managed encryption has tradeoffs. First, many people publicly share photos and documents through Dropbox, and this will not possible if those files are encrypted before being placed in Dropbox. Second, if they lose the password or encryption key to the files they encrypted themselves, those files are lost forever.”

Final thoughts

Convenience versus security, the problem with all SaaS applications, has landed at Dropbox. How much do you trust the service provider?

Hopefully, I have provided enough information to make an informed decision about how to use Dropbox. Thanks, Grandpa.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

68 comments
josephpritchard91
josephpritchard91

@Michael Kassner Great article and great questions. Glad you followed your Grandpa's example! I use consumer applications like Dropbox and OneDrive only for files that aren't very important because of truths like these. Businesses need to be aware of enterprise alternatives to Dropbox such as Thru. If businesses have their own secure solution that drives employees away from apps like Dropbox, it satisfies convenience and security that businesses demand.  http://www.thruinc.com/managed-file-transfer/  


Convenience is definitely not a good reason to compromise sensitive data as your title suggests. Thanks for posting! 

steve morin
steve morin

Saw you message on security in Dropbox. 


Small issue.


My company wants to use this.  So i installed it. Next think I know I go out to dropbox and there are three desktop images in my pictures.   It seems the default setting is to make the print screen key capture image and store them.  Even if you just close the pop up the image is already saved.    No install option and no warning on installation.


Yes you can turn it off but.... possibly sensitive data is already up there.      


This kind of stuff seems minor but it shouldn't happen.  


Previous installation was tried and removed for known issue a year or so ago.


Not a fan so far.

passdropit
passdropit

A little self-promo here... I had some issues with this, so I rolled my own password protection onto Dropbox links. Now I'm making a product out of it... check it out at http://passdropit.com 

kprivigyi
kprivigyi

Our company hired a guy, and the first thing he did was install dropbox, copy our customer lists, files, etc.. and then quit. Even discovering it the next day is too late. Of course I blacklisted it. Who cares how secure it is, when it's primary functionality is a direct threat to a company?

FinancialPlanner
FinancialPlanner

Our company recently switched over from Dropbox to Google Drive due to one very important security issue with Dropbox. We discovered that sharing a file that is already shared will give the recipient top level access. For example, I share my client files with my administrative assistant. If I try to share a specific client file with a client, then that client would be able to see all of our clients folders. I talked to somebody at Dropbox about this, but they didn't seem too concerned. This is a lawsuit waiting to happen.

nxb3942
nxb3942

I think everyone would prefer more security to less, but it's about who wants to pay for it and how much it is worth to them. Most individuals would never get something like www.thruinc.com/solutions/secure-dropbox/ but lots of businesses do because they need the extra security and functionality for many reasons that help them to make more money or keep from losing money.

Doug Vitale
Doug Vitale

If you upload files to a third party like Dropbox that are of a sensitive or private nature (tax returns, internal use business documents, photos with the potential to cause embarrassment, etc) you are making the hefty assumption that the third party will effectively safeguard your files (i.e., absolutely maintain their confidentiality and integrity). This being the case, you should only ever store such files on drives or media that you personally can oversee and administer. Dropbox and MediaFire are fine for MP3s, eBooks, harmless photos, and the like. If you decide to upload sensitive files to a third party, you assume the risk and should not act surprised or annoyed when breaches occur.

emartin
emartin

The URL you provide for SecretSync is broken up into two different links. The "front half" link takes you to their website, the "back half" takes you nowhere.

chriscos
chriscos

It is true that although you may be risking the security of your data by sharing it and using Dropbox but it is a price that is paid through various synchronization services like that of Dropbox. Does there exist a file sharing and storing service that can guarantee you security along with easy usability and functionality??

dnletoile
dnletoile

Keep in mind the issue of allowing the use of Dropbox at your company by employees. Dropbox would make it much easier to copy restricted company files by a disgrunted employee than copying them to a flash drive. Granted, you can set your servers to log that activity, but thats a heck of a lot of data to keep/store...and by the time you notice (if at all) "Elvis has already left the building". We block Dropbox access at my job site.

seanferd
seanferd

And I don't see anywhere that it is suggested that users use their own encryption for sensitive data in the main marketing pages. Possibly under the support links, but no one reads those until there is a problem. A quick mention could be easily used as a positive selling point. (But that may get in the way of the hip new web page style that uses loads of whitespace.)

santeewelding
santeewelding

All them multiple posts, or has your encryption gone haywire, too?

tbmay
tbmay

People either care about security or they don't. Most don't.

Derek Schauland
Derek Schauland

Are you still a dropbox user? With or without prior file encryption?

apotheon
apotheon

The answer is simple: Your data should never be treated as "secure" when stored on someone else's computer(s) unless you've encrypted the data before it gets there using the strongest encryption scheme you can reasonably use.

Editor's Picks