Popular cloud file syncing service Dropbox, much beloved by iPhoneMY, has been in the news lately. On the one hand, it announced it had hit a new high of 25 million users, which is a number which is both pleasingly big and pleasingly round. On the other hand, it has been the target of some strongly worded criticism for its security features — or, more accurately, problems with them.
The most recent of these criticisms arose from an update to the Dropbox Terms of Service to state that if the government asks, it will hand over your files:
This isn’t terribly surprising, although on first glance it might sound awful. Consider the alternatives. If Dropbox receive a legally binding subpoena in a criminal case demanding the release of data, what else could anyone expect them to do except hand the data over, right?
Perhaps not. Earlier today, Miguel de Icaza, a prominent Open Source programmer who founded the GNOME and Mono projects, wrote a blog post pointing out a curious inconsistency between this stance and Dropbox’s advertising. He linked to this page on the Dropbox FAQ which says, amongst other bold promises, that “all files stored on Dropbox servers are encrypted (AES-256)” and “Dropbox employees aren’t able to access user files, and when troubleshooting an account they only have access to file metadata (filenames, file sizes, etc., not the file contents)”.
As de Icaza points out, there are no details beyond these high-level statements about exactly how Dropbox carries out its data encryption. AES-256 is a very secure encryption scheme which basically makes it impossible to hack into the encrypted files without the decryption key. Dropbox’s FAQ copy makes it sound like its employees don’t have access to this key — as though it’s generated from your Dropbox password, perhaps. That’s certainly what I took away from the Dropbox FAQ.
However, if that were true, then in the event the authorities came knocking Dropbox simply wouldn’t be able to supply the decrypted files, subpoena or no. It can’t get at the contents of those files without the key. So in fact, we can assume that Dropbox does have those keys after all, which means that the only thing stopping Dropbox staff from reading your files is a matter of policy rather than anything to do with the encryption.
And, of course, key files stored on servers can be stolen — and we know those keys must be accessible to Dropbox’s servers, as without them they wouldn’t be able to encrypt and decrypt your files. So now we have an additional concern: a hacker with access to the Dropbox servers could access your files if they can also find the matching key — which must be there, somewhere.
All this comes on the heels of a report last week by security engineer Derek Newton that revealed another insecurity in Dropbox. Newton reports that the machine hash — a string that uniquely identifies the computer running Dropbox to their servers — is stored unencrypted and in a standard location on any machine with Dropbox installed. This means that if someone steals that single small file, perhaps by tricking a user into revealing it or through a malware attack, they can copy the machine hash to a computer of their own and download a copy of the entire contents of the Dropbox account in a manner that is almost undetectable to the user.
For most users, this security hole is potentially far more worrying than the first one — most people with information that is sensitive wouldn’t be storing it on Dropbox in the first place. Those who really have to for whatever reason could always doubly encrypt the file, for example by placing an encrypted disk image inside the Dropbox folder. This second problem, however, does represent quite a tempting target for hackers to attack.
All these problems are purely theoretical, for the moment; there are no known cases of a hacker exploiting them. Nevertheless, they do show that if you have data you care about, whether it’s the trap layout of your underground lair or your employer’s TPS reports, you ought to be careful where you put it. Trust no-one.