BitTorrent dismisses security concerns raised about its Sync app

The cryptographic implementation is solid and cannot be compromsied through a remote server, the company said

BitTorrent dismissed claims that its popular peer-to-peer file synchronization program BitTorrent Sync has an insecure cryptographic implementation that potentially gives the company access to users' files.

A group of security researchers who recently reverse engineered parts of BitTorrent Sync released a report Monday outlining several potential security issues they found. The most serious of those issues had to do with the leak of cryptographic hashes that correspond to folders shared between users to GetSync.com, a remote server operated by BitTorrent.

The analysis revealed the "probable leak of all hashes to getsync.com and access for BitTorrent Inc to all shared data," the researchers said in their report posted on the website of the Hackito Ergo Sum security conference.

This results from a change in the folder-sharing procedure that was introduced after the original Sync releases, which used a different, more secure mechanism, the Hackito researchers said. "This may be the result of NSL (National Security Letters, from US Government to businesses to pressure them in giving out the keys or introducing vulnerabilities to compromise previously secure systems) that could have been received by BitTorrent Inc and/or developers."

BitTorrent posted a response on its community forum to clarify that the central server is just there to enable peers to discover each other and does not play a role in the actual synchronization process, which is encrypted peer-to-peer.

"Folder hashes are not the folder key (secret)," Konstantin Lissounov, the general manager for BitTorrent Sync, said. "They are used to discover other peers with the same folder. The hashes cannot be used to obtain access to the folder; it is just a way to discover the IP addresses of devices with the same folder."

The folder-sharing mechanism between BitTorrent Sync users relies on links to GetSync.com that include the folder hash and cryptographic keys, according to the Hackito report.

However, those links only contain the public keys that are needed before the machines can actually exchange the secret keys, Lissounov said.

"The link itself cannot be used for decrypting the communication as it only contains the public keys of the machines involved in the exchange," he said. "After a direct connection is established (the user can verify that by comparing the certificate fingerprint for both peers) Sync will pass the folder key over an encrypted channel for the other peer. In addition, the public key and the folder hash appear after the # sign in the URL, which means that all modern browsers won't even send this to the server."

Compromising the public infrastructure that supports the peer discovery cannot impact the security of the Sync program, which is completely dependent on the client-side implementation, Lissounov said.

In order to support these claims, BitTorrent also published a letter from iSEC Partners, a security firm that was contracted earlier this year to audit BitTorrent Sync's cryptographic implementation. According to the letter, iSEC's review covered the program's implementation and usage of cryptographic primites like hashing, encryption and randomness generation; the key exchange mechanism; the invite and approval process; folder discovery by remote peers and possible cryptographic attacks on Sync infrastructure.

"BitTorrent Sync applied generally accepted cryptographic practices in the design and implementation of Sync 1.4 as of July 2014," the iSEC letter reads.

ISEC Partners was also contracted by the Open Crypto Audit Project to perform an audit of TrueCrypt source code earlier this year.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags privacybittorrentExploits / vulnerabilitiesiSec Partners

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Lucian Constantin

Lucian Constantin

IDG News Service
Show Comments

Brand Post

Shining a light on creativity

MSI has long pushed the boundaries of invention with its ever-evolving range of laptops but it has now pulled off a world first with the new MSI Creative 17.

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?