NeoXiD

Concerns About The Security Of Btsync

Recommended Posts

Hello there

 

I'm the developer of sync.io, a private tracker server made for BitTorrent Sync. This project is inofficial and not finished, but some people are already using it. To accomplish this project, I had to reverse engineer a lot of the used protocol and can therefore give you some details about the security of BitTorrent Sync.

 

First of all, BTSync is not 100% private as it might be mentioned on some pages. Think about the following thing: You've got 5 clients, all with the same secret, located on some different networks worldwide. How do they find each other? They've got not chance without any external help.

 

This is where BitTorrent Sync's tracker server comes to help - some "share identifier" (not the secret) will be transmitted to the tracker server including your private & public IP address. You will get all active peers as a reply, and can therefore establish some direct connections.

 

You're affected by some really secure firewall rules? The relay server comes in place - it will be a middleman between two peers and all the data will be transmitted over the relay server if no direct connection is possible. You can easily see this when BTSync shows a "cloud" symbol next to a peer.

 

Summary of data BitTorrent Inc. gets from you:

  • the private and public IP address of all connected peers
  • the share secret (I do not know yet how it will be generated, it is related to the secret keys but can't be reversed, I think)
  • unique identifier (will be generated for each installation, you can also say 'unique peer id' to this
  • if no direct connection is possible: packets containing the destination peer id & the encrypted data

Normally they'll only have your IP address and a unique peer identifier and they could do some statistics about the average amount of shares a BTSync user hash, but they do not see any share names or the data. If a relay server gets used, all the encrypted data gets sent over their servers. If the encryption is secure and correctly implemented, this won't be a problem. But if there are some big mistakes or flaws, they could easily intercept the traffic and decrypt it.

 

And if they would be able to decrypt the data of one peer, they would know every other peer (including their IPs) which has access to this share, thanks to the tracker server. And yes, I know, a tracker server -is- necessary.

 

So, these are some things you should know. I do not want to accuse BitTorrent Inc., but you never know how things look like. No one also knows how the encryption works in detail - everything is closed-source and can not be checked by anyone else. Reverse engineering of the binaries is also forbidden, and it looks like they want to release a enterprise version with private tracker & relay support, so they're not that happy about opensource-solutions like 'sync.io'.

 

Also, some other notice: They've mentioned somewhere that they are unable to shutdown the BitTorrent Sync service. This is not 100% correct. Indeed, it is correct for LAN-only environments with activated peer discovery. But what if they shut down the tracker and relay servers? External connections would not be possible anymore.

 

To cut a long story short: They could shutdown BTSync (except the LAN feature), they can -maybe- intercept your traffic and decrypt it, depending of how "secure" the encryption really is (and if relay servers are being used, which is often the case for mobile connections).

 

Things I would wish for the future: Easy support for own tracker and relay servers, a open and world-readable documentation about the protocol, API without any 'stupid' (excuse me) API keys which can be limited and maybe open-source the application all together.

 

I might sound paranoid but I regard security a lot. And I just wanted to share my thoughts with all the BTSync users. Do not accuse me for hating BTSync, I really love its simplicity and it works fine, but I am always doubtful about such sync tools. Thanks for reading the whole post,

 

Regards

NeoXiD

Share this post


Link to post
Share on other sites

I ran Btsync over i2p as a test and works well.

However major problem is there's no way to verify the downloaded packages, and the source is closed. So those should be your two biggest security concerns since we're using a blackbox. If you are security conscious look into Tahoe-LAFS or owncloud project.

You've mentioned another good point, thanks @CptDerp. owncloud isn't really an alternative imho and Tahoe-LAFS is a bit complicated. I've tested both of them already, but I didn't found something yet which is as simple and works out-of-the-box like BTSync does.

But unfortunately it is very unlikely that BitTorrent Inc. will ever release BTSync as an open-source application, so we have to trust this 'blackbox' or just don't use it anymore.

But truly some statements which are mentioned on their homepage are probably marketing bs and nobody can tell how secure BTSync really is.

Share this post


Link to post
Share on other sites
Also, some other notice: They've mentioned somewhere that they are unable to shutdown the BitTorrent Sync service. This is not 100% correct. Indeed, it is correct for LAN-only environments with activated peer discovery. But what if they shut down the tracker and relay servers? External connections would not be possible anymore.

You can always create your own tracker and relay server, described below:-

 

Tracker:- Simply own a domain name (Example.org), have it on a dynamic DNS, constantly update the subdomains with your computers IPs, such as:-

Laptop.example.orgDesktop.example.orgWork.example.org

And then just configure BTSync to use those static addresses.

 

Relay:- Just have a single computer which accepts incoming connections (Easily can buy a cheap VPS to do this). Unfortunately, I'm not sure if it actually needs to have the files on it (If you selective-sync it, then, accept nothing, would it relay the connection?), I could test this if you really want (Would cost a couple cent to lease VPS for two or so hours).

 

Anyway, one thing I do really dislike about this project is the fact it's closed source.

Share this post


Link to post
Share on other sites
Also, some other notice: They've mentioned somewhere that they are unable to shutdown the BitTorrent Sync service. This is not 100% correct. Indeed, it is correct for LAN-only environments with activated peer discovery. But what if they shut down the tracker and relay servers? External connections would not be possible anymore.
You can always create your own tracker and relay server, described below:-

 

Tracker:- Simply own a domain name (Example.org), have it on a dynamic DNS, constantly update the subdomains with your computers IPs, such as:-

Laptop.example.orgDesktop.example.orgWork.example.org
And then just configure BTSync to use those static addresses.

 

Relay:- Just have a single computer which accepts incoming connections (Easily can buy a cheap VPS to do this). Unfortunately, I'm not sure if it actually needs to have the files on it (If you selective-sync it, then, accept nothing, would it relay the connection?), I could test this if you really want (Would cost a couple cent to lease VPS for two or so hours).

 

Anyway, one thing I do really dislike about this project is the fact it's closed source.

That's not a tracker, these are static IPs. (And this feature isn't even implemented in the mobile applications...) And this might work if you've got around 3-4 clients and you own all of them... But what if you want to share some files with friends, coworkers, ...? Ask them for their IPs and update them all of the time? Request some dynamic DNS domains from them? That's clearly no tracker replacement.

And I would also claim that a single computer which accepts incoming connections does not act as a relay server, otherwise this option would not be needed. Ofcourse, you can get some server which is public reachable and let it sync all the files, but it will not help with "relaying"/"supporting" a 'direct' connection between two other peers.

Share this post


Link to post
Share on other sites

That's not a tracker, these are static IPs. (And this feature isn't even implemented in the mobile applications...) And this might work if you've got around 3-4 clients and you own all of them... But what if you want to share some files with friends, coworkers, ...? Ask them for their IPs and update them all of the time? Request some dynamic DNS domains from them? That's clearly no tracker replacement.

And I would also claim that a single computer which accepts incoming connections does not act as a relay server, otherwise this option would not be needed. Ofcourse, you can get some server which is public reachable and let it sync all the files, but it will not help with "relaying"/"supporting" a 'direct' connection between two other peers.

This is not entirely true.

A server or one installation of Sync with a static IP or a domain is sufficient. Set your folders to use that static address. That instance will tell all other instances with the corresponding secret the IP addresses of the partnering clients so they can connect to each other. If you are unable to get a direct connection to a client, that instance will relay the data somewhat, because it gets the data first and distributes it again. Of course it needs all the secrets and sufficient disk space and you should be able to connect to it directly. 

So one instance and its public address is all you need to get it working without the help of Bittorrent Inc.

So long

Doc Green

Share this post


Link to post
Share on other sites

That's not a tracker, these are static IPs. (And this feature isn't even implemented in the mobile applications...) And this might work if you've got around 3-4 clients and you own all of them... But what if you want to share some files with friends, coworkers, ...? Ask them for their IPs and update them all of the time? Request some dynamic DNS domains from them? That's clearly no tracker replacement.

And I would also claim that a single computer which accepts incoming connections does not act as a relay server, otherwise this option would not be needed. Ofcourse, you can get some server which is public reachable and let it sync all the files, but it will not help with "relaying"/"supporting" a 'direct' connection between two other peers.

 

Unfortunately, I do admit I wasn't thinking with the DynDNS as I only run three clients (2*DynIPs, both owned by me, 1*Static IP, which is a server I lease).

Share this post


Link to post
Share on other sites

 Reverse engineering of the binaries is also forbidden, and it looks like they want to release a enterprise version with private tracker & relay support, so they're not that happy about opensource-solutions like 'sync.io'.

 

 

What is this solution 'sync.io'?

I tried researching it but couldn't find anything.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.