In a new paper, “Looking inside the (Drop) box” [PDF], security pros Dhiru Kholia and Przemysław Wegrzyn outline in painstaking detail the steps they took to successfully decode the program that makes up the Dropbox user client, essentially opening it (and their would-be victims’ accounts) up for direct attack.
Reverse engineering is not a malicious attack, per se, but is rather a long-standing technique used to take a peek under the hood of any high-tech product, typically a piece of hardware. Reverse engineering of software has become more popular in recent years, as well, with original developers and reverse engineers continually one-upping each other in an attempt to protect their code or to expose it, respectively.
On the developer side, various terms are used to describe this. Applications that the developers are attempting to protect are called hardened or obfuscated. These techniques are used when a developer doesn’t want to open his code base for analysis, review, attack, or (more to the point) outright copying by others. (This is the antithesis of open source programming.)
But in many cases, these attempts to protect software become counterproductive, and the more popular a hardened/obfuscated piece of software becomes, the more likely it is to earn the attention of hackers. For a good example of this, consider the decades-long attack-and-patch war that Microsoft has endured with hackers targeting virtually all of its products.
But a vast piece of software like Microsoft Office isn’t nearly as ripe a target for reverse engineering today as the relatively compact Dropbox client, and the potential gains for an attacker are arguably far greater for the latter anyway. Why? Because reverse engineering the Dropbox client means you can access your victims’ data from afar, opening the door to see what 100 million users who upload a billion files to the service every day are doing. What digital treasures await the hacker who manages to kick that door open?
Dropbox does not publish its source code, and its API has no documentation. Nonetheless, Kholia and Wegrzyn describe a variety of techniques used to pull the curtain aside and circumvent hardening and other security systems, and they seem to have been overwhelmingly successful. (Feel free to read the paper directly to see the technical details of how they did it.)
As bad as this is for Dropbox (though no doubt it will simply harden and obfuscate further to attempt to close the door once again), it’s a sign of things to come for the software industry as a whole. Judging by the near-dailyheadlines, computer security is not improving. The ease of bypassing that security, however, is. For software which relies on the cloud, which is essentially everything being produced today, that’s awful news, as it gives potential hackers far easier access to the real prize—user data—than reverse engineering more traditional, offline software does.
This news isn’t likely to impact the sea change that we’re experiencing now. Software is moving to the cloud and it’s taking user data with it. What can you and your business do in the meantime to mitigate the risks? First, make sure you’re keeping your software patched and up to date. It’s really the only way to protect yourself from attacks like these. Second, think twice about what kind of data you trust to the cloud. Menu designs for your café? Probably OK to trust them to the Web. Credit card database of all of your customers? Maybe best to keep that on a computer back at the office. Behind a locked door.
Update 8/28/2013: In a statement, Dropbox says, “We appreciate the contributions of these researchers and everyone who helps keep Dropbox safe. However, we believe this research does not present a vulnerability in the Dropbox client. In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user’s Dropbox, open to attacks across the board.”
Christopher Null is a veteran technology and business journalist. He contributes regularly to TechHive, PCWorld, and Wired, and operates the websites Drinkhacker and Film Racket. Disclosure: He also writes for Hewlett-Packad's marketing website TechBeacon.