A report stating that the file-sharing peer-to-peer shared service BitTorrent has several flaws in its security encryption was published last Sunday (16th November) by a group of security researchers in the Hackito web-site forum. The report states that the torrent might probably grant the company access to the users’ shared files information.
In a post of their own two days after, BitTorrent contradicted these accusations.
The most serious issue, the researchers say though, is the leak of cryptographic hashes between users’ folders placed on BitTorrent’s GetSync.com remote server. Having reverse-engineered the program code, their analyses revealed “Probable leak of all hashes to getsync.com and access for BitTorrent Inc to all shared data”. The whole report can be found in the Hackito Ergo Sum website.
A researcher from Hackito said that the security flaw came, as a result, in a change in the folder sharing procedure, after the first sync release. “Change of sharing paradigm that introduced this vulnerability happened after the first releases. This may be the result of NSL (National Security Letters, from US Government to businesses to pressure them in giving out the keys or introducing vulnerabilities to compromise previously secure systems) that could have been received by BitTorrent Inc and/or developers,“ is stated in the report.
In their counter-post from Tuesday, BitTorrent said that the central remote server is there only to help users connect to one another. It does not take part in the encrypted synchronization process they said though.
‘Folder hashes are not the folder key (secret). They are used to discover other peers with the same folder. The hashes cannot be used to obtain access to the folder; it is just a way to discover the IP addresses of devices with the same folder. Hashes also cannot be guessed; it is a 160 bit number, which means that it is cryptographically impossible to guess the hash of a specific folder.’, states the post.
The information exchange mechanism between the folders of the BitTorrent users is relying on encrypted connection links in GetSync.com, but they include the hashes and the cryptographic key to the folders according to the Hackito researchers though.
The links contain just the public keys needed for machines to connect to one another and not the secret keys to the folders, BitTorrent state on the contrary.
‘Links make use of standard public key cryptography to enable direct and secure key exchange between peers. The link itself cannot be used for decrypting the communication as it only contains the public keys of the machines involved in the exchange. After a direct connection is established, (the user can verify that by comparing the certificate fingerprint for both peers) Sync will pass the folder key over an encrypted channel for the other peer. In addition, the public key and the folder hash appear after the # sign in the URL, which means that all modern browsers won’t even send this to the server. Additional features have been implemented to further secure the key exchange using links, including (1) the links automatically expire within 3 days (set as default) and (2) explicit approval is required by the inviting peer before any key exchange takes place (also set as a default).’, is said in their post.
In addition to these statements BitTorrent published a letter from an information security company – ISEC Partners, hired by them to audit their security implementation earlier this year. According to the letter the audit covers the implementation and the usage of cryptographic hashes, encryption and randomization of the program, folder recognition and peer exchange, key exchange mechanism and possible cryptographic hack attacks.
‘BitTorrent Sync applied generally accepted cryptographic practices in the design and implementation of Sync 1.4 as of July 2014,’ the letter says.
All in all, we can conclude that the information coming from both sides – Hackito and BitTorrent is being quite controversial. The best possible protection is to beware of sharing sensitive information through the torrent at the moment.