Update: 9/21/15

Since I wrote this article, Bittorrent Sync has progressed a fair bit - mostly in terms of usability - and transitioned to a paid product with a basic free-tier. It's important to understand, however, that they have actually made the security issues worse as detailed toward the end of this article.


It's been a while since I posted here, so I'm going to jump in with something that's very important to me, and should be to you as well. Personal data security.

In the age of cloud-everything, personal data is more amorphous and insecure than ever. The recent celebrity photo leaks are a testament to that. You have personal information scattered all across the internet through Facebook, Twitter, iCloud, OneDrive, Google Drive, etc.... Often without even realizing you're uploading this information at all.

In January of last year(2013), Bittorrent Inc. announced Bittorrent Sync which they purported to be the answer to all your data security woes. Well, most of them anyway. Hot on the heals of a Dropbox security breach, they played up the fact that your data isn't stored on any servers anywhere. It's just on your own private machines. Sounds good, right? Not so fast.

Let's run through how it works.

When you create a share, it is given a 33-character, no-case, alpha-numeric key. That's a total of 27,640,097,400,000,000,000 possible keys (Roughly 27.64 quitillion). You use that key for everything. Want to set up new device. You just put in the key. Want to share with a friend. They just put in the key. Nice and easy. All transmissions are secured using that key and AES-128 encryption - a known and trusted protocol.

This all sounds great! Easy to use, everything just works, and all my information is nice and secure. Nope. Just nope. Most people using BT Sync are using the default setup - which uses the Bittorrent's discovery service. How does that impact security? Glad you asked. Basically, any hacker could start up a botnet or grab a buch of cheap, anonymous VPSes in Russia(or both) right now and just have it start hammering away at that discovery service with different key possibilities. Cycling through the list would take a while, but the hacker would get a steady stream of valid share connections and be able to just start downloading data at will. It would be trivial for a hacker to maintain connection to a whole host of shares since that key is the only thing standing between hackers and your data. They don't need to know your IP address, or your network setup, they just need to guess that key.

This is such a fucking massive security flaw that it just blows my mind. How a product shipped - even in an alpha state - with this kind of gaping security hole is beyond me.

In summary, if personal data security is a concern for you - and it should be - go ahead and grab a copy of Bittorrent Sync. Just, for the love of all that is good in this world, do not use a public discovery service.

Update 9/21/15

Since writing this article, the idiots people behind Bittorrent Sync have removed the ability to disable the public discovery service and added the ability to auto-grok all shares by registering as a trusted device. If you guessed that registering as a trusted device is as simple as entering a key into a public discovery service, then you're correct. Sure the key's longer, but it's still nothing more than pretend security and every guessed device key gives access to all of that user's shares.

In short. DO NOT USE Bittorrent Sync