Dropbox Wants More Access to Your Computer, and People Are Freaking Out
Dropbox Infinite will live in a very sensitive part of the system, which makes it a good target for hackers.
Dropbox founder Drew Houston. Photo: Getty Images
On Tuesday, Dropbox published more details about upcoming changes to the company's desktop client that will allow users to access all of the content in their account as if it is stored on their own machine, no matter how small the hard-disk on their computer.
In other words, you can browse through your own file system and have direct access to your cloud storage, without having to go and open a web browser nor worry about filling up your hard-drive.
Sounds great, but experts and critics have quickly pointed out that Dropbox Infinite, as the technology is called, may open up your computer to more serious vulnerabilities, because it works in a particularly sensitive part of the operating system.
"Traditionally, Dropbox operated entirely in user space as a program just like any other on your machine," a blog post by Dropbox software engineer Damien DeVille reads.
"With Dropbox Infinite, we're going deeper: into the kernel—the core of the operating system. With Project Infinite, Dropbox is evolving from a process that passively watches what happens on your local disk to one that actively plays a role in your filesystem," the post continues.
As DeVille said, the kernel is the core of the operating system—its heart. It's the first part to be kicked into action when a computer boots up; it manages the inputs and outputs of different pieces of software, and also handles other things connecting to the computer, such as printers.
"They are now proposing to copy the keys to your house, move in, and live with you."
If a program is running in the kernel, it can also see a hell of a lot more than something that is on the normal level that user applications typically live in.
"If Dropbox is in the kernel, it can access everything [on] your whole system," Sam Bowne, who teaches Ethical Hacking at City College San Francisco told Motherboard in a Twitter message.
From a security point of view, users will be putting a load of new code onto their computer with Dropbox Infinite. Of course, that is always the case with any program, and all software contains vulnerabilities. But some might be less enthusiastic about letting Dropbox sit in their kernel, considering how sensitive that area is.
"If there's a flaw in Dropbox it could be used to take over your system," Bowne added.
One area of software that typically operates in the kernel is anti-virus products. But, as Tavis Ormandy, an information security researcher from Google has shown, these programs can be prone to serious vulnerabilities.
There may also be privacy issues with Dropbox's move, but that depends on what kind of information is being sent back to Dropbox's servers, Pedro Vilaça, a Mac OSX reverse engineer, told Motherboard in an email.
"So as long they aren't uploading any of that information back to their servers the new model just gives them the same filesystem view that AVs [anti-virus software] and some other [utilities] already have when users install them," he wrote.
Dropbox did not respond to multiple requests for comment.
Regardless, users might want to think about how much access they fancy giving Dropbox.
"By moving from userland to kernel-land, Dropbox will take on a large responsibility. The way Dropbox works now, it's like a vendor setting up a cart outside your home selling hot dogs. But they are now proposing to copy the keys to your house, move in, and live with you," Bowne wrote.
Update 26 May: After the publication of this article, Dropbox updated its blog post. "It's important to understand that many pieces of everyday software load components in the kernel, from simple device drivers for your mouse to highly complex anti-virus programs. We approach the kernel with extreme caution and respect," it reads.
"We understand the concerns around this type of implementation, and our solution takes into consideration the security and stability of our users' experience, while providing what we believe will be a really useful feature," the blog post adds.