Hackers claim BitTorrent Sync should not be used for sensitive data

If you’ve tried BitTorrent Sync, then you probably like it. Not only can BitTorrent Sync users sync files between devices on a local network, but also between devices online via “secure distributed P2P technology” without the pitfalls of the cloud like file size limits, third-party snoopers and painfully slow transfer speeds. Although it was designed to give users both security and privacy, an independent security analysis casts some doubts on if it truly provides either.

Sync “gets its speed from the BitTorrent protocol on which it was built” and it is fast. In October, BitTorrent conducted a speed test to see how well Sync held up against major cloud storage companies. “Sync performed 8 times faster than Google Drive, 11 times faster than OneDrive and 16 times faster than Dropbox.”

It’s easy to setup and use; as of August 2014 there had been over 10 million user installs that resulted in 80 petabytes of data transferred. In fact, many folks are using network-attached storage (NAS) systems and BitTorrent Sync “to create a secure, easy-to-manage private cloud that is free of subscription fees.”

One of the reasons BitTorrent Sync is becoming increasingly popular even while it is in Beta is because it was “built for trust” and to give the user “complete control” of their files. “Files are never duplicated on to third-party servers. Every connection is encrypted and secured against prying eyes.” The tech specs add, “Sync was designed with privacy and security in mind.”

When Sync 1.4 Beta was released, Erik Pounds, Vice President of Product Management for BitTorrent Sync, wrote, “Privacy controls including Read-Only/Read & Write options, link expirations and approval settings, which all let you customize the level of access you want to provide. Your peer list provides you a record of all the devices you’ve shared with. Each peer becomes a sender also, helping sync files with new peers if and when your device is not online.

Another big plus to using Sync is that if you don’t store your digital stuff in the cloud, then the FBI cannot gag a cloud provider via a National Security Letter (NSL) and spy on all your data. Right? Maybe not so much, according to hackers who conducted a security and privacy analysis of the program.

Because BitTorrent Sync is a closed-source program growing in popularity, a group of hackers at the last Hackito Ergo Sum security conference in Paris wanted to provide a neutral analysis of Sync’s security and privacy. Their results are summed up in the photo below:

A long write-up on the Hackito blog includes the attack surface and potential attack vectors as well as some alarming security and crypto pitfalls. An example from those purportedly includes the fact that Sync “infrastructure is dependent on other, maybe insecure, infrastructure and deployments. If Amazon gets hacked, security of whole BTsync architecture is compromised.”

According to Hackito Ergo Sum’s TL;DL and conclusions:

• There is a “probable leak of all hashes to getsync.com and access for BitTorrent Inc to all shared data.” The analysis portion added, “GetSync.com server receives many (all?) hashes in clear-text when sharing the directory; it is used to share links amongst people, even though the previous BTsync hash sharing mechanism was better for security.”
• There was a change of Sync’s sharing paradigm after the first releases that introduced a vulnerability, which “may be the result of NSL (National Security Letters, from US Government to businesses to pressure them in giving out the keys or introducing vulnerabilities to compromise previously secure systems) that could have been received by BitTorrent Inc and/or developers.” The hackers even included a handy-dandy diagram from the ACLU to explain how the FBI uses NSLs.

• “Leak about the private network addresses of clients that gives indication about where and what to attack.”
• There are “probable multiple vulnerabilities in the clients.”
• “Bottom line: Do not use for sensitive data.”

BitTorrent Sync is working on a “detailed answer,” but for now replied on the BitTorrent forum:

Researcher hasn’t found anything bad, besides few crashes on random test. What he found is that we officially saying from the day 1 of the Sync.

PS. Wording of “Probable leak of all hashes to getsync.com and access for BitTorrent Inc to all shared data.” is very close to “I almost hacked Microsoft today.”

PPS. There is nothing even close to “Bittorrent Inc has access to all your ‘encrypted files’.”

Keep an eye out for Sync’s detailed response.