What to do if a Dropbox device is stolen12 Sep 2012
I wrote a couple of weeks back about two-step authentication that was added to Dropbox and how it can make your Dropbox account more secure. Two-step authentication is only part of the challenge though and only protects you from people trying to break in to your account. What happens when one of your Dropbox devices is stolen? Unfortunately the results can be grim depending on how secure you have kept the device that was stolen although there is hope for iOS and Android users. Let me take you through a quick guide on what you can do to make things a little safer and potentially remotely remove files that are stored in Dropbox on that device that was stolen.
First things first, all aspects of security need to be thought about. Remember that if you run Dropbox on a Mac or Windows laptop or desktop computer then ALL files are typically copied locally unless you specify otherwise. This means that if someone gets your computer and you have no password or a week password then the intruder can simply open up your local Dropbox folder and have access.
My first quick recommendation is log in to Dropbox on the web (if you use two-step authentication then make sure you already have your backup password if your phone that gets the authentication code is the one that is stolen). When logged in, click your name at the top right and then on Settings. When the settings have loaded up, go to the Security tab and unlink the device so that it is no longer connected to your account. Unfortunately, this doesn’t include a remote wipe, so if they have access to files then you are simply preventing them from accessing your online Dropbox account and making any changes.
I recommend full-disk encryption
When laptop or desktop devices are stolen I more worry about the data that is stored than the device that is stolen. If I have good enough backups then the computer can be replaced and although annoying and leaving you with a vulnerable feeling, your data is safe. But, if you have no backup and lose your data, that is way more costly.
There is a risk with storing information anywhere. If information isn’t protected correctly then potentially anybody can gain access to it. This is why I recommend you use encryption. I personally use full disk encryption on the Mac although if you just want to keep files in a secure folder, you could potentially just secure that particular folder. For more information on why it is important to secure your device with a password and encrypt the data, take a read of my full disk encryption post. This also includes instructions or links to instructions on how you could secure your data.
Should an encrypted device with a good password be stolen then you can take more comfort in the fact that the intruder will likely just reformat the device and use the hardware. In a lot of cases the intruder is interested in the hardware.
What if your iOS or Android Dropbox device is stolen? Luckily with iOS the device doesn’t store files locally (typically). By simply using the unlink method mentioned above you can disconnect your stolen iPad or iPhone from Dropbox and when the intruder loads up the app they VERY briefly see a list of folders and files but in less than a second they are taken back to the login/register screen.
The same, I believe, is the case for Android although I have been unable to test as I have no available Android device. Users on the Dropbox forum indicate that Android will also be presented a registration screen when the device is unlocked.
Another option, and one that all iOS users should have active, is Find my iPhone which comes part of icloud.com and is built-in for free on iOS 4+ devices in the mail/calendar settings menu. Activate this and if your device is stolen you can track it, lock it, remotely wipe it or set an alarm on it with a message. My preferred method is to use an 8-digit pin (company restrictions mandate this to get email). I’d first unlink from Dropbox as it’s quick and easy. I’d then remotely lock with a stronger password and track for a while and if no luck with that, I’d initiate a remote wipe.
Either way, if your iOS device running Dropbox is stolen a simply unlink in Dropbox’s web interface will clear the contents for you.
How to prepare now
Although the chances are that you are reading this because of a Dropbox device being stolen, hopefully it can bring some hope in that if you are on Android or iOS then you can simply unlink. But, if you are reading this and your device hasn’t been stolen then go enable two-step authentication now and look at adding passwords to all devices as well as encryption and backups where possible. It’s all about preventing access both virtual through a hack or physical through encryption to ensure that your data doesn’t get in to the wrong hands.