Hackers test BitTorrent Sync, say its not safe to share sensitive information

If you have used BitTorrent Sync before, you know how different it is from other cloud storage services. Not only can BitTorrent Sync users sync files between devices on a local network, but also between devices online via “secure distributed P2P technology” without the pitfalls of the cloud like file size limits, third-party snoopers and painfully slow transfer speeds. Now researchers have found out that it neither provides security nor privacy. In fact they have warned users against snycing and sending sensitive and confidential information over BitTorrent Sync.

Sync “gets its speed from the BitTorrent protocol on which it was built” and it is fast. In October, BitTorrent conducted a speed test to see how well Sync held up against major cloud storage companies. “Sync performed 8 times faster than Google Drive, 11 times faster than OneDrive and 16 times faster than Dropbox,” the test results had claimed.
Growing Popularity

As of August 2014, the popularity of the service has grown far and wide. For the reason we mentioned above, the service is now used by over 10 million individuals and many may be using it for sensitive and private information. The fact that it does not need a subscription fee hasn’t been a blockade in its spread. One of the reasons BitTorrent Sync is becoming increasingly popular even while it is in Beta is because it was “built for trust” and to give the user “complete control” of their files. “Files are never duplicated on to third-party servers. Every connection is encrypted and secured against prying eyes,” BitTorrent had said. The tech specs even added, “Sync was designed with privacy and security in mind.”

A big advantage of using the service is that since your files are not technically stored on a cloud storage, no law enforcement officer can legally get a warrant to access your personal data. So your data remains perfectly safe and sound. When Sync 1.4 Beta was released, Erik Pounds, Vice President of Product Management for BitTorrent Sync, wrote, “Privacy controls including Read-Only/Read & Write options, link expirations and approval settings, which all let you customize the level of access you want to provide. Your peer list provides you a record of all the devices you’ve shared with. Each peer becomes a sender also, helping sync files with new peers if and when your device is not online.
The Hacker’s Test

The hackers who conducted the privacy tests of BitTorrent Sync, have written a lengthy blogpost about their results when they put this entire system under rigorous test.

An example from those purportedly includes the fact that Sync “infrastructure is dependent on other, maybe insecure, infrastructure and deployments. If Amazon gets hacked, security of whole BTsync architecture is compromised.”

According to Hackito Ergo Sum’s TL;DL post and conclusions:

There is a “probable leak of all hashes to getsync.com and access for BitTorrent Inc to all shared data.” The analysis portion added, “GetSync.com server receives many (all?) hashes in clear-text when sharing the directory; it is used to share links amongst people, even though the previous BTsync hash sharing mechanism was better for security.”
There was a change of Sync’s sharing paradigm after the first releases that introduced a vulnerability, which “may be the result of NSL (National Security Letters, from US Government to businesses to pressure them in giving out the keys or introducing vulnerabilities to compromise previously secure systems) that could have been received by BitTorrent Inc and/or developers.” The hackers even included a handy-dandy diagram from the ACLU to explain how the FBI uses NSLs.
“Leak about the private network addresses of clients that gives indication about where and what to attack.”
There are “probable multiple vulnerabilities in the clients.”
“Bottom line: Do not use for sensitive data.”

BitTorrent Responds

BitTorrent said they will formulate a detailed reply to these claims. But for now they have posted the following on their forums

Researcher hasn’t found anything bad, besides few crashes on random test. What he found is that we officially saying from the day 1 of the Sync.
PS. Wording of “Probable leak of all hashes to getsync.com and access for BitTorrent Inc to all shared data.” is very close to “I almost hacked Microsoft today.”
PPS. There is nothing even close to “Bittorrent Inc has access to all your ‘encrypted files’.”

If you are using BitTorrent Sync to monitor your personal files, documents, videos etc. Techworm would like you warn you that it may be risky at this stage. We will update this story as and when we get a detailed response from BitTorrent.