'No cause for concern on security of BitTorrent Sync'

According to BitTorrent Inc. the report from security researchers stating BitTorrent Sync shouldn't be used for sensitive data, is no cause for concern. The company claims BitTorrent Sync remains the most secure and private way to to move data between two or more devices.

BitTorrent Sync choose a folder

ADVERTISEMENT

PR manager Kevin Fu of the company mailed us saying the company takes security very serious, "We've gone through the claims made by Hackito and after reviewing it in full, we do not feel there is any cause for concern".

One of the concerns of the security researchers was about the possibility of all hashes generated by the software to be available to BitTorrent Inc.,  Fu states about that, "folder hashes are not the folder key (secret) and are used to discover other peers with the same folder. The hashes cannot be used to obtain access to the folder; it is just a way to discover the IP addresses of devices with the same folder. Hashes also cannot be guessed; it is a 160 bit number, which means that it is cryptographically impossible to guess the hash of a specific folder."

The researchers also reported the hashes are exposed when a directory is shared which requires the user to send a link to another machine, the company states about this, "links make use of standard public key cryptography to enable direct and secure key exchange between peers. The link does not contain any folder encryption keys; it only contains the public keys of the machines involved in the exchange. The link itself cannot be used for decrypting the communication. After a direct connection is established (the user can verify that by comparing the certificate fingerprint for both peers) Sync will pass the folder key over an encrypted channel for the other peer."

ADVERTISEMENT

According to Fu, BitTorrent Sync links are designed is such a way that the key and folder hash normally aren't exposed to the server, " in addition, the public key and the folder hash appear after the # sign in the URL, which means that all modern browsers won't even send this to the server. On top of that, a few additional features were implemented to further secure the key exchange using links, including (1) the links automatically expire within 3 days (set as default) and (2) explicit approval is required by the inviting peer before any key exchange takes place (also set as a default)."

The researchers were also concerned about the BitTorrent Sync infrastructure, which makes the software to connect to a central server, however according to BitTorrent Inc. the server is only there to enable peers to find each other. The server is also  there to enable better connectivity and more user-friendly folder sharing experience. Even when the server is hacked there shouldn't be an issue according to Fu as he adds, "Sync security is completely dependent on client-side implementation."

Nevertheless, the client side security still depends on the user, as Fu ends his mail, "like with any other solution, the user needs to secure access to their machines using proper passwords, proper firewall configuration, and the like. Once an attacker has root access or physical access to the machine, it can modify any element of the attacked system. This is not an issue with Sync, but basic security protocol."

ADVERTISEMENT

No posts to display