A potential security lapse and possibly misleading statements are plaguing Dropbox, a hugely popular file-syncing app. What are the issues and is concern justified?
- Currently 25 million people use Dropbox.
- Dropbox members are spread over 175 countries.
- On any given day, over 200 million files are saved in Dropbox.
Not bad for a service four years old. Drew Houston, co-founder and CEO points out:
"Dropbox transforms the way people create and share their life's work. Whether that's designing buildings, writing music, or raising a family, we're focused on making it effortless to have your files wherever you need them, on any computer or phone."
So, what is Dropbox?
"Dropbox is a service that lets you bring all your photos, docs, and videos anywhere, and share them easily. Any file you save to your Dropbox will automatically save to all your computers, your phone or iPad, and the Dropbox website."
- 2 GB of Dropbox space for free, with subscriptions up to 100 GB available.
- Work offline. Your files are available, whether you have a connection or not.
- Files are also available from the Dropbox website.
- Dropbox works with Windows, Mac, Linux, iPhone, iPad, Android, and Blackberry.
- To save time and bandwidth, Dropbox only transfers the parts of a file that change.
Dropbox also has the ability to share files with others. And, if your computer melts down, you can restore all your files from the Dropbox website.
Is there a problem?
Any one that knows me understands something. I ask questions, lots of questions. It's my grandfather's fault. I still can hear him: "How in hell can you make a good decision if you don't know the facts." Thanks to Grandpa, I pay attention if something is "up close and personal".
Warning: This is one of those times.
I use Dropbox. And, when security researchers I'm familiar with publically post warnings, a bomb goes off in my head. Besides, I know many people who use Dropbox.
So, like all good journalists—particularly those with grandfathers like mine—I feel obligated to gather the facts as presented by all parties. To that end, I contacted Dropbox. The following questions were answered by ChenLi Wang, Business Operations at Dropbox.Kassner: The "How secure is Dropbox?" web page states:
"Your files are actually safer while stored in your Dropbox than on your computer in some cases. We use the same secure methods as banks and the military."
What does that mean?
Dropbox: We all have stories from our family and friends about the file that was accidentally deleted or replaced, the inadvertent coffee spill, the dropped laptop, the USB stick gone missing.
We believe that storing data in Dropbox is far safer than how many of them store data currently, and we've designed Dropbox to help users avoid the most common threats to their data.
Kassner: Derek Newton posted the following on his blog:
"If you gain access to a person's Dropbox config.db file (or just the host_id), you gain complete access to the person's Dropbox. Taking the config.db file, copying it onto another system then starting the Dropbox client immediately joins that system into the synchronization group."
I understand this requires contact (physical or remote access) with the computer. Still, if successful, a third party would have access to all the files in the Dropbox account. Do you consider this to be a problem?Dropbox: Unfortunately, when a computer is compromised physically or by a trojan/virus, all applications and data on the computer are at risk. That said, there were things we could do to make Dropbox more resistant to attacks from someone with access to your computer, and we immediately began working on a solution.
First, we released an update to the Dropbox client software that set more restrictive permissions on the folder that stores the authentication file.
Next, about a month ago, we released to our user forums a build of the client that encrypts the entire config.db file, making user credentials much harder to steal. We will be auto-upgrading all users to this build soon; the encrypted config.db file breaks several third-party apps, so we want to give them a chance to design workarounds first.
Also, it is possible to see what computers have access to the Dropbox files by logging into the web interface and going to this link.
If a computer is not recognized, unlink it.
"All files stored on Dropbox servers are encrypted (AES256) and are inaccessible without your account password."
After April, it changed to:
"All files stored on Dropbox servers are encrypted (AES 256)."
Would you explain why you changed this?
Dropbox: We were explaining that there are multiple safeguards on your data: that the files are stored encrypted and in addition, protected by your access credentials. However, a security professional could incorrectly infer that the encryption key comes from the user's password, so we've separated the two points for clarity.
Kassner: Soghoian also pointed out that the following quote from the same Dropbox webpage:
"Dropbox employees aren't able to access user files, and when troubleshooting an account, they only have access to file metadata (filenames, file sizes, etc. not the file contents)."
"Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata (e.g., file names and locations)."
Why did the statement change?Dropbox: "Dropbox employees aren't able to access user files." That means that we prevent such access via access controls on our backend as well as strict policy prohibitions. That statement didn't say anything about who holds encryption keys or what mechanisms prevent access to the data. We updated our help article and security overview to be explicit about this:
We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access."Kassner: Thank you for providing your position with regards to the allegations. I have a few security questions as well.
In the iPhone Dropbox app, a four-digit passcode is required to open the application. Do you have any plans for an option that would allow more-complex pass codes?
Dropbox: Users have not requested this feature to date. The iPhone passcode is intended to protect the user's files in case the phone is lost or stolen. Users can enable a setting that will delete the Dropbox data on the phone should the wrong passcode be entered over ten times. It is not a replacement for the password on the account, which is required to link the Dropbox to the iPhone for the first time.
Kassner: There is a third party application called SecretSync that encrypts files before they are transferred to Dropbox. Would you recommend it for people that would like additional security? Would TrueCrypt be another option?
Dropbox: Yes, we have always recommended third-party encryption solutions for advanced users who are comfortable managing their own encryption keys. TrueCrypt has been the most popular option to date, but other solutions include EncFS, SecretSync, and BoxCryptor.
It's important to understand that user-managed encryption has tradeoffs. First, many people publicly share photos and documents through Dropbox, and this will not possible if those files are encrypted before being placed in Dropbox. Second, if they lose the password or encryption key to the files they encrypted themselves, those files are lost forever.
Convenience versus security, the problem with all SaaS applications, has landed at Dropbox. How much do you trust the service provider?
Hopefully, I have provided enough information to make an informed decision about how to use Dropbox. Thanks, Grandpa.