The risks of relying on the cloud have been discussed at length, but security researchers are about to add a new danger that users will soon have to worry about: Reverse engineering the software directly.
In a new paper, "Looking inside the (Drop) box" [PDF], security pros Dhiru Kholia and PrzemysBaw Wegrzyn outline in painstaking detail the steps they took to successfully decode the program that makes up the Dropbox user client, essentially opening it (and their would-be victims' accounts) up for direct attack.
Reverse engineering is not a malicious attack, per se, but is rather a long-standing technique used to take a peek under the hood of any high-tech product, typically a piece of hardware. Reverse engineering of software has become more popular in recent years, as well, with original developers and reverse engineers continually one-upping each other in an attempt to protect their code or to expose it, respectively.
On the developer side, various terms are used to describe this. Applications that the developers are attempting to protect are called hardened or obfuscated. These techniques are used when a developer doesn't want to open his code base for analysis, review, attack, or (more to the point) outright copying by others. (This is the antithesis of open source programming.)
But in many cases, these attempts to protect software become counterproductive, and the more popular a hardened/obfuscated piece of software becomes, the more likely it is to earn the attention of hackers. For a good example of this, consider the decades-long attack-and-patch war that Microsoft has endured with hackers targeting virtually all of its products.
But a vast piece of software like Microsoft Office isn't nearly as ripe a target for reverse engineering today as the relatively compact Dropbox client, and the potential gains for an attacker are arguably far greater for the latter anyway. Why? Because reverse engineering the Dropbox client means you can access your victims' data from afar, opening the door to see what 100 million users who upload a billion files to the service every day are doing. What digital treasures await the hacker who manages to kick that door open?
Dropbox does not publish its source code, and its API has no documentation. Nonetheless, Kholia and Wegrzyn describe a variety of techniques used to pull the curtain aside and circumvent hardening and other security systems, and they seem to have been overwhelmingly successful. (Feel free to read the paper directly to see the technical details of how they did it.)
As bad as this is for Dropbox (though no doubt it will simply harden and obfuscate further to attempt to close the door once again), it's a sign of things to come for the software industry as a whole. Judging by the near-dailyheadlines, computer security is not improving. The ease of bypassing that security, however, is. For software which relies on the cloud, which is essentially everything being produced today, that's awful news, as it gives potential hackers far easier access to the real prize--user data--than reverse engineering more traditional, offline software does.
Sign up for Computerworld eNewsletters.