Getting information from one location to another still isn’t painless, but it’s gotten a lot easier thanks to cloud-based systems like Dropbox, Box, and Google Drive. Now BitTorrent has entered the fray with an alternative, a peer-to-peer sharing system that skirts the cloud entirely called BitTorrent Sync.
But on Monday at a hacking conference in Paris, a session devoted to testing the security of Sync found the system lacking. The organizers of the session, who admit that it was not a professional assessment but a “community effort,” discovered multiple security flaws that could allow anyone to access to supposedly encrypted files via Sync. The security analysis details both server side and client side risks that were discovered. However, most were not confirmed, only mentioned and given a risk rating.
BitTorrent Sync general manager Konstantin Lissounov has tried to dispel the security concerns in a post titled “Bittorrent Sync: Security Is Our Highest Priority.” He says that Sync was built to be completely secure and has gone through various third-party audits (which he linked).
Lissounov also adds some specific explanation for a few of the issues raised, including one from Hackito labeled “[HIGH?] Tracker server gets hashes of new folder?” To which it turns out, the hashes aren’t the folder key.
“They are used to discover other peers with the same folder,” Lissounov writes. “The hashes cannot be used to obtain access to the folder; it is just a way to discover the IP addresses of devices with the same folder. Hashes also cannot be guessed; it is a 160-bit number, which means that it is cryptographically impossible to guess the hash of a specific folder.”
The other major issue raised was the use of BitTorrent infrastructure which could allow data to be intercepted. The response and overarching theme, however, was that Sync isn’t beholden to their servers.
“The public infrastructure is there to enable better connectivity and a more user-friendly folder-sharing experience,” Lissounov explains. “Compromising the public infrastructure cannot impact the security of Sync.”
The clear explanations and response given on behalf of the company should comfort those questioning how important security is to the product. Even claims unsubstantiated, merely thought to be a problem, were addressed quickly.
Is BitTorrent Sync safe enough for your sensitive data? If your answer is no, then for now you probably should rethink using Dropbox, Drive, or Box as well.