Dropbox (in)security

Dropbox is a handy solution for storing files in “the cloud” and having the ability to sync from various devices (PC/Mac/iPhone/Andriod). The idea is that these files are stored in an encrypted for, and should only be accessible by the person with the account and no one else. As a user of dropbox myself, I read with horror as security issues with their service as hit the web, but the saga has gotten more interesting.

This week I saw the news that someone has filed a complaint with the feds, that asks the U.S. Federal Trade Commission (FTC) to investigate Dropbox for deceiving their users as to the extent of the security of the users data. This complaint is due in large part to these 3 recently published problems.

The first issue that Derek Newton pointed out was that once you enable a device it stores a simple file with some HostID which is then used for all future authentication. So you provide your user/pass and it generates a random HostID that it stores in your accounts list of verified hosts. This in itself is not too horrible, but the problem is that this HostID does not include any mechanism that uses some fingerprint of the system to make sure that HostID matches up with the current system. So someone can get ahold of your file with the HostID and place it on their computer and then they have access to your files. This seems like a major oversight, which I assume may have been done to make it quicker to deal with the multi-platform support. It needs to be fixed.

The second issue popped up when Dropbox changed their Terms of Service and it became clear that your files are not as secure as was thought. The change to the ToS says that if the authorities show up and ask for your files, that they would comply and provide them unencrypted copies of your files. I wont really make too much fuss about them not being willing to refuse, because that would take some serious legal expenses and I don’t get the sense that Dropbox is big enough to say NO to the US gov.  The real point to this is that the only way they could provide unencrypted copies is if the files are not encrypted with some key from the login, which appears to be the case. With the explanation Dropbox provided, the only real restriction is their internal company policy. Not very reassuring, as I am not sure I have ever worked in a place where employees have ever completely followed “company policy”. I can imagine some bored and curious admin running a search on *.jpg during some middle of the night shift. Solutions like TrueCrypt and Boxcryptor can help, maybe Dropbox should acquire Boxcryptor and integrate it into their client software.

The third issue that was blogged about was an issue with the use of deduplication by Dropbox. The idea here is that Dropbox is storing a crap-load of data for its users. To cut down on the costs they implemented a solution for de-duplication which in short means that when you put a new file in your dropbox it first checks on their servers for some other user having the same exact file already being stored, and if it finds one, it will just link you to that copy and not need to upload your file or store another copy on their drives. Now think about this… it would require that they take the unencrypted form of your file and generate a Hash, lets hope this is happening on your local machine, and this hash is stored in some table of file hashes. So then they check new files against their list, and if match is found then they now have a single file which is accessible by two users, which users key is this encrypted by? I assume the first… so if UserB wants a copy of the file at some point, then it would unencrypt UserA’s file and give it to UserB? Ugh! This sure seems like terribly flimsy encryption to me.

I have no idea what will happen with the FTC involvement, just because a complaint was filed doesn’t mean they have to act on it, but if they do it will likely be a precedent setting case that should be watched closely as more and more computing is moving to “the cloud”. For my part, I don’t think Dropbox is a villain that was intentionally doing anything wrong, but simply have made mistakes on implementation issues and maybe a little naive as to some of the issues security researchers would be able to dig up as their service gained popularity. If I’m correct about my assumptions about Dropbox, then I hope they respond by fixing their technology and being open with the community about the process.

This is one I will certainly be watching closely…

About Dan Kuykendall

Dan Kuykendall is the founder and co-CEO at the premier application security solutions provider NT OBJECTives, Inc. Throughout his career, Dan has helped develop advanced dynamic application security testing software, a fundamental aspect to NT OBJECTives’ reputation as a leader in comprehensive web application scanning. Dan has also worked for McAfee’s Foundstone and Fortis, where he founded the U.S. Information Security team. Connect with Dan on Google+

Leave a Reply

Your email address will not be published. Required fields are marked *