BitTorrent dismisses security concerns raised about its Sync app

The cryptographic implementation is solid and cannot be compromsied through a remote server, the company said

BitTorrent dismissed claims that its popular peer-to-peer file synchronization program BitTorrent Sync has an insecure cryptographic implementation that potentially gives the company access to users' files.

A group of security researchers who recently reverse engineered parts of BitTorrent Sync released a report Monday outlining several potential security issues they found. The most serious of those issues had to do with the leak of cryptographic hashes that correspond to folders shared between users to GetSync.com, a remote server operated by BitTorrent.

The analysis revealed the "probable leak of all hashes to getsync.com and access for BitTorrent Inc to all shared data," the researchers said in their report posted on the website of the Hackito Ergo Sum security conference.

This results from a change in the folder-sharing procedure that was introduced after the original Sync releases, which used a different, more secure mechanism, the Hackito researchers said. "This may be the result of NSL (National Security Letters, from US Government to businesses to pressure them in giving out the keys or introducing vulnerabilities to compromise previously secure systems) that could have been received by BitTorrent Inc and/or developers."

BitTorrent posted a response on its community forum to clarify that the central server is just there to enable peers to discover each other and does not play a role in the actual synchronization process, which is encrypted peer-to-peer.

"Folder hashes are not the folder key (secret)," Konstantin Lissounov, the general manager for BitTorrent Sync, said. "They are used to discover other peers with the same folder. The hashes cannot be used to obtain access to the folder; it is just a way to discover the IP addresses of devices with the same folder."

The folder-sharing mechanism between BitTorrent Sync users relies on links to GetSync.com that include the folder hash and cryptographic keys, according to the Hackito report.

However, those links only contain the public keys that are needed before the machines can actually exchange the secret keys, Lissounov said.

"The link itself cannot be used for decrypting the communication as it only contains the public keys of the machines involved in the exchange," he said. "After a direct connection is established (the user can verify that by comparing the certificate fingerprint for both peers) Sync will pass the folder key over an encrypted channel for the other peer. In addition, the public key and the folder hash appear after the # sign in the URL, which means that all modern browsers won't even send this to the server."

Compromising the public infrastructure that supports the peer discovery cannot impact the security of the Sync program, which is completely dependent on the client-side implementation, Lissounov said.

In order to support these claims, BitTorrent also published a letter from iSEC Partners, a security firm that was contracted earlier this year to audit BitTorrent Sync's cryptographic implementation. According to the letter, iSEC's review covered the program's implementation and usage of cryptographic primites like hashing, encryption and randomness generation; the key exchange mechanism; the invite and approval process; folder discovery by remote peers and possible cryptographic attacks on Sync infrastructure.

"BitTorrent Sync applied generally accepted cryptographic practices in the design and implementation of Sync 1.4 as of July 2014," the iSEC letter reads.

ISEC Partners was also contracted by the Open Crypto Audit Project to perform an audit of TrueCrypt source code earlier this year.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags bittorrentiSec PartnerssecurityencryptionExploits / vulnerabilitiesdata protectionprivacy

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?