BitTorrent dismisses security concerns raised about its Sync app

The cryptographic implementation is solid and cannot be compromsied through a remote server, the company said

BitTorrent dismissed claims that its popular peer-to-peer file synchronization program BitTorrent Sync has an insecure cryptographic implementation that potentially gives the company access to users' files.

A group of security researchers who recently reverse engineered parts of BitTorrent Sync released a report Monday outlining several potential security issues they found. The most serious of those issues had to do with the leak of cryptographic hashes that correspond to folders shared between users to GetSync.com, a remote server operated by BitTorrent.

The analysis revealed the "probable leak of all hashes to getsync.com and access for BitTorrent Inc to all shared data," the researchers said in their report posted on the website of the Hackito Ergo Sum security conference.

This results from a change in the folder-sharing procedure that was introduced after the original Sync releases, which used a different, more secure mechanism, the Hackito researchers said. "This may be the result of NSL (National Security Letters, from US Government to businesses to pressure them in giving out the keys or introducing vulnerabilities to compromise previously secure systems) that could have been received by BitTorrent Inc and/or developers."

BitTorrent posted a response on its community forum to clarify that the central server is just there to enable peers to discover each other and does not play a role in the actual synchronization process, which is encrypted peer-to-peer.

"Folder hashes are not the folder key (secret)," Konstantin Lissounov, the general manager for BitTorrent Sync, said. "They are used to discover other peers with the same folder. The hashes cannot be used to obtain access to the folder; it is just a way to discover the IP addresses of devices with the same folder."

The folder-sharing mechanism between BitTorrent Sync users relies on links to GetSync.com that include the folder hash and cryptographic keys, according to the Hackito report.

However, those links only contain the public keys that are needed before the machines can actually exchange the secret keys, Lissounov said.

"The link itself cannot be used for decrypting the communication as it only contains the public keys of the machines involved in the exchange," he said. "After a direct connection is established (the user can verify that by comparing the certificate fingerprint for both peers) Sync will pass the folder key over an encrypted channel for the other peer. In addition, the public key and the folder hash appear after the # sign in the URL, which means that all modern browsers won't even send this to the server."

Compromising the public infrastructure that supports the peer discovery cannot impact the security of the Sync program, which is completely dependent on the client-side implementation, Lissounov said.

In order to support these claims, BitTorrent also published a letter from iSEC Partners, a security firm that was contracted earlier this year to audit BitTorrent Sync's cryptographic implementation. According to the letter, iSEC's review covered the program's implementation and usage of cryptographic primites like hashing, encryption and randomness generation; the key exchange mechanism; the invite and approval process; folder discovery by remote peers and possible cryptographic attacks on Sync infrastructure.

"BitTorrent Sync applied generally accepted cryptographic practices in the design and implementation of Sync 1.4 as of July 2014," the iSEC letter reads.

ISEC Partners was also contracted by the Open Crypto Audit Project to perform an audit of TrueCrypt source code earlier this year.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags bittorrentiSec PartnerssecurityencryptionExploits / vulnerabilitiesdata protectionprivacy

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?