Login | November 22, 2025
DropSmack drop-kicks Dropbox
RICHARD WEINER
Technology for Lawyers
Published: June 21, 2013
Well, it was really only a matter of time. While Dropbox may be a great utitlity for sharing files among friends, etc., it has always posed a sort of unknown security risk factor.
Now, the risk is known.
A recent memo from the Black Hat EU conference, entitled “DropSmack: How cloud synchronization services render your corporate firewall worthless,” seems to provide a hacker’s road map for using cloud services in general, and Dropbox in particular, for “delivering malware to an internal network.”
The memo/briefing set out ways that Dropbox can be used in a “command and control” function, where the hacker takes over the computer or network, and also in a data retrieval mode, where the hacker can steal data from the network.
Neither of those activities are particularly optimal to the party being hacked.
Of course, Dropbox is encrypted. And, according to this memo, it really does (did—a hacker did this to a company) a fairly sophisticated hacker/programmer to figure out how to get into a company’s Dropbox files.
In this instance, that access came from following the CIO’s laptop out of the company’s secure network and into the CIO’s home, where it could be hacked fairly easily—a very sophisticated hack, not for amateurs. It was then equally easy to access Dropbox from there.
The only question then was—what do you do with that info? And these hackers discovered that they could take over the company’s computers from there. They installed a hack they called “DropSmack” into the company’s Dropbox and, voila, the company was theirs.
Scary.
DropSmack’s developer has said that the only way to make sure that this will not happen is to create a whitelist of software—which every company and law firm should do as a matter of course (see some previous articles in this series). Normal firewalls and other security measures don’t check Dropbox, since the program itself is already authorized.
But this is just another cautionary tale in a whole series of them—for fifteen years, I’ve been writing about law firm computer security. The “cloud” now makes it even more imperative to pay attention. This doesn’t mean that Dropbox can’t be used—it just means that it, and similar programs, have to be used with great caution and security.