Hackers test BitTorrent Sync, say its not safe to share sensitive information
Editors Note : Techworm has been through the claims made by Hackito and the clarifications provided by BitTorrent Sync.The claims seem unsubstantiated as the group’s premise was flawed as they misunderstood how the technology works.
If you have used BitTorrent Sync before, you know how different it is from other cloud storage services. Not only can BitTorrent Sync users sync files between devices on a local network, but also between devices online via “secure distributed P2P technology” without the pitfalls of the cloud like file size limits, third-party snoopers and painfully slow transfer speeds. Now researchers have found out that it neither provides security nor privacy. In fact they have warned users against snycing and sending sensitive and confidential information over BitTorrent Sync.
Sync “gets its speed from the BitTorrent protocol on which it was built” and it is fast. In October, BitTorrent conducted a speed test to see how well Sync held up against major cloud storage companies. “Sync performed 8 times faster than Google Drive, 11 times faster than OneDrive and 16 times faster than Dropbox,” the test results had claimed.
As of August 2014, the popularity of the service has grown far and wide. For the reason we mentioned above, the service is now used by over 10 million individuals and many may be using it for sensitive and private information. The fact that it does not need a subscription fee hasn’t been a blockade in its spread. One of the reasons BitTorrent Sync is becoming increasingly popular even while it is in Beta is because it was “built for trust” and to give the user “complete control” of their files. “Files are never duplicated on to third-party servers. Every connection is encrypted and secured against prying eyes,” BitTorrent had said. The tech specs even added, “Sync was designed with privacy and security in mind.”
A big advantage of using the service is that since your files are not technically stored on a cloud storage, no law enforcement officer can legally get a warrant to access your personal data. So your data remains perfectly safe and sound. When Sync 1.4 Beta was released, Erik Pounds, Vice President of Product Management for BitTorrent Sync, wrote, “Privacy controls including Read-Only/Read & Write options, link expirations and approval settings, which all let you customize the level of access you want to provide. Your peer list provides you a record of all the devices you’ve shared with. Each peer becomes a sender also, helping sync files with new peers if and when your device is not online.
The Hacker’s Test
The hackers who conducted the privacy tests of BitTorrent Sync, have written a lengthy blogpost about their results when they put this entire system under rigorous test.
An example from those purportedly includes the fact that Sync “infrastructure is dependent on other, maybe insecure, infrastructure and deployments. If Amazon gets hacked, security of whole BTsync architecture is compromised.”
According to Hackito Ergo Sum’s TL;DL post and conclusions:
- There is a “probable leak of all hashes to getsync.com and access for BitTorrent Inc to all shared data.” The analysis portion added, “GetSync.com server receives many (all?) hashes in clear-text when sharing the directory; it is used to share links amongst people, even though the previous BTsync hash sharing mechanism was better for security.”
- There was a change of Sync’s sharing paradigm after the first releases that introduced a vulnerability, which “may be the result of NSL (National Security Letters, from US Government to businesses to pressure them in giving out the keys or introducing vulnerabilities to compromise previously secure systems) that could have been received by BitTorrent Inc and/or developers.” The hackers even included a handy-dandy diagram from the ACLU to explain how the FBI uses NSLs.
- “Leak about the private network addresses of clients that gives indication about where and what to attack.”
- There are “probable multiple vulnerabilities in the clients.”
- “Bottom line: Do not use for sensitive data.”
BitTorrent said they will formulate a detailed reply to these claims. But for now they have posted the following on their forums
- Researcher hasn’t found anything bad, besides few crashes on random test. What he found is that we officially saying from the day 1 of the Sync.
- PS. Wording of “Probable leak of all hashes to getsync.com and access for BitTorrent Inc to all shared data.” is very close to “I almost hacked Microsoft today.”
- PPS. There is nothing even close to “Bittorrent Inc has access to all your ‘encrypted files’.”
Update of response to Techworm :
Christian from BitTorrent reached out to Techworm about the alleged vulnerability. While agreeing that the noble intentions of Hackito, BitTorrent says that their assessment the BitTorrent Sync is vulnerable is not correct. BitTorrent’s detailed reply to the Hackito’s claims is given below :
BitTorrent Sync remains the most secure and private way to to move data between two or more devices. And for good reason, we’ve built it that way. Rigorous third-party security audits have been conducted to verify the product’s security architecture.ut we take questions about Sync’s security very seriously. We’ve gone through the claims made by Hackito and after reviewing it in full, we do not feel there is any cause for concern.
To address the main points made in the study’s conclusion:
- Folder hashes are not the folder key (secret) and are used to discover other peers with the same folder. The hashes cannot be used to obtain access to the folder; it is just a way to discover the IP addresses of devices with the same folder. Hashes also cannot be guessed; it is a 160 bit number, which means that it is cryptographically impossible to guess the hash of a specific folder.
- -Links make use of standard public key cryptography to enable direct and secure key exchange between peers. The link does not contain any folder encryption keys; it only contains the public keys of the machines involved in the exchange. The link itself cannot be used for decrypting the communication. After direct connection is established (user can verify that by comparing certificate fingerprint for both peers) Sync will pass folder key over encrypted channel for other peer. In addition, the public key and the folder hash appear after the # sign in the URL, which means that all modern browsers won’t even send this to the server. On top of that, a few additional features were implemented to further secure the key exchange using links, including (1) the links automatically expire within 3 days (set as default) and (2) explicit approval is required by the inviting peer before any key exchange takes place (also set as a default).
- We host a tracker server for peer discovery; the tracker is only there to enable peers to find each other. It is not a part of the folder exchange. As mentioned earlier, the hashes cannot be used to obtain access to a folder.
- Like with any other solution, the user needs to secure access to their machines using proper passwords, proper firewall configuration, and the like. Once an attacker has root access or physical access to the machine, it can modify any element of the attacked system. This is not an issue with Sync, but basic security protocol.
- Sync security is completely dependent on client-side implementation. The public infrastructure is there to enable better connectivity and more user-friendly folder sharing experience. Compromising the public infrastructure cannot impact the security of Sync.
Hope that assures the BitTorrent Sync users.