BitTorrent DNA Vulnerable to Remote Hijack
Written by Ernesto on January 03, 2008A recent reports suggests that the BitTorrent DNA, which is bundled with the mainline client, is an “exploitable” version of uTorrent without the user interface. It is suggested that it is possible for any websites to offload content to the btdna.exe, without the user’s consent.
BitTorrent DNA is used for p2p streaming of online videos. It works like this; the user who wants to watch a stream has to install the BitTorrent DNA application, which is also bundled with the BitTorrent mainline client. When the user plays a BitTorrent accelerated stream it will not only download data, but also upload it to other people who are watching the same stream, similar to a regular BitTorrent download.
It turns out that the DNA application is almost identical to uTorrent. “All of the resources are there, dialogs, icons, etc. It is a full blown µTorrent client that just doesn’t display it’s User Interface” writes Wefixedtheglitch, who reverse engineered the application.
The algorithm has changed a bit of course. Pieces are no longer picked at random because this doesn’t work for streaming, so it has to start with getting the first bits, first. Another difference between uTorrent and DNA is that the latter has a built in webserver. This server is used to stream media from localhost or 127.0.0.1, but also introduces some vulnerabilities.
Wefixedtheglitch reports: “It is not impossible for ANY website to hijack and offload content onto your “btdna.exe” process. I consider this risk as “HIGH” and do not recommend users to have the “btdna.exe” software installed on their systems due to these risks, especially if your ISP limits/charges you for bandwidth overages.” This claim was backed up by an additional researcher upon TorrentFreak’s request.
This report contradicts an earlier statement from BitTorrent Inc. CEO Ashwin Navin, who told TorrentFreak: “BitTorrent DNA only accelerates content that a user clicks on. It does not anticipate user wants, or pre-load a user’s PC with content they did not explicitly ask for (via an HTTP request from a webpage).”
One thing is for sure, BitTorrent DNA isn’t perfect yet. Several users reported that it slows down their web-browsers, with Linksys router owners being particularly affected. We have contacted the BitTorrent team about this slowdown issue before and they told us that they are working on a fix. I have no doubt that they will also address the security issues if there are any, but for now I think it is better to uninstall the application when you don’t need it.
DNA automatically starts with Windows, and has to be uninstalled separately from the mainline client. It is pretty well hidden and many users probably don’t even know that btdna.exe is running, as its only noticeable when the Windows task manager is opened.
Update: We received a response from BitTorrent Inc.
The blog post suggesting BitTorrent DNA is an “exploitable” version of uTorrent is erroneous. The blogger you cite should have been more diligent in his/her research, but one can hardly expect reliable information from an anonymous blog. While it is possible for any application to send requests through btdna.exe as a simple proxy, the DNA client will only accelerate authorized URLs that are registered by BitTorrent Inc. in the DNA service center. When an authorized URL is passed to the proxy, the DNA client connects to a managed infrastructure that includes a high performance tracker that introduces the client to DNA peers who have also requested the same file. The DNA service center also includes a real-time
dashboard that provides our customers visibility and control over their accelerated content, as well as better management over their entire content delivery infrastructure.
As far as the user is concerned, BitTorrent DNA only receives data that a user requests. Like any BitTorrent transfer, it is ‘private’ in that it never uploads anything you yourself haven’t requested from a webpage. It does not anticipate user wants, or pre-load a user’s PC with content not explicitly requested via an HTTP request from a webpage. Our terms for DNA
require websites to disclose to users why and how DNA improves the experience for video, software, and games with P2P acceleration.
Furthermore, BitTorrent DNA when fully released in BitTorrent mainline will allow users to see and fully control DNA activity through the mainline interface. Currently DNA is being deployed as a stand alone application, but DNA functionality will be added to mainline seamlessly in the future. We have standardized our development for PC clients on the uTorrent codebase. Mainline 6.0 was the first to leverage this codebase, and our DNA client also leverages the uTorrent codebase but includes many new enhancements beyond uTorrent for things like video streaming for example.
Not all P2P video streaming is created equal, and we strive to offer progressively downloaded video maintaining as much of the efficiency “rarest-first” offered in traditional BitTorrent. Making video streaming with BitTorrent work reliably and efficiently is non-trivial engineering, and we’ve spent quite a bit of time getting it to be the best implementation available.
The best place to visualize DNA video in action is here:
Or for full length movies and TV shows here:
Previously: Conspiracy Against Shareaza and Open Letter to the Recording Industry
Next: US Pirate Party Endorses Barack Obama
144 Responses
Pages: [1] 2 3 4 5 6 » Show All
Will teach them :) Closing the BT specs ;)
i am
the original BitTorrent client is a pile of crap, compared to uTorrent.
That client is completely utter spam
I ‘ve uninstalled immediately
a year ago!
I don’t even watch videos… :-D
I don’t even use internet lol :D
I used some proggie that played normal torrents as streaming video a long long time ago, worked flawless aslong as the speed was okish otherwice it buffered just like any normal stream.
Anyone else know the proggie? “torrentstream” maybe?
Do DNA require some kind of special torrent format or something? sure hope not, kinda useless to make new formats when its already been more or less working over years ago.
Maybe not stream and upload at the same time bit but that would be easely solved with some open source genius brain massage instead of new formats ;)
Im a new format hater if it didnt notice :)
HD-DVD and Blueray etc should melt in microwaves of justice.. xD
[quote comment="254642"]
Maybe not stream and upload at the same time bit but that would be easely solved with some open source genius brain massage instead of new formats ;)[/quote]
mmm brain massage.. can i get that with a happy ending?
Hopefully there will be a quick fix. I haven’t tried it yet, but torrent streaming sounds like an excellent new technology, especially for small content folks.
I don’t know how anyone uses the mainline client, though. That thing be ugly.
I can’t stand the mainline client. I only have it for testing purposes, I would never use it regularly.
HALITE FTW!
It’s a bit of a stretch to call streaming over BitTorrent a new technology. All it is, is a modification to one of the algorithms in the BitTorrent peer wire protocol. Normally, BitTorrent clients request rare pieces from other clients to ensure swarm health. In a streaming situation, the BitTorrent client requests pieces in a sequential order.
For an open source alternative to DNA, look no further than Azureus Vuze. When you choose to playback a video from the Vuze platform before the download is finished, the Azureus client immediately start to request pieces in sequential order. You can see this graphically in the Azureus piece information graph. The red arrows representing requested pieces shift from littered all over the piecemap to sequentially ordered from the beginning.
I’m not saying Vuze is perfect, of course. Even though Azureus is open source, the Vuze license agreement limits derivative works to some extent. And Vuze only enables playback before download completion for videos from the Vuze platform, you can’t do it for ordinary torrents.
a new innovation always brings in new creative problems.
[quote comment="254637"]I don’t even use internet lol :D[/quote]
Yo ArAsh, if u don’t use the internet… Just how did you get to view this article?
BTDNA is a sweet idea, but like with all things, when it has just kicked ff it needs testing, and is in it’s ‘TWEAKING’ stage. I’d love to see this kind of this kind of thing working on YouTube. After the Glitches though.
BitTorrent DNA is not innovation. It is a modification, at best. And not a good modification at that.
BitTorrent DNA is designed to do two things, neither of which are good things.
1. It alters the BitTorrent piece downloading strategy to enable streaming. While this may sound good in paper, it in fact is detrimental to the protocol as a whole. One of the reason why BitTorrent is robust, scalable, and able to resist flash crowding is because of the randomized, rare-priority piece download strategy. This ensures that each peer has unique selection of pieces so that as peers download, they can share pieces with each other. This takes load off the initial seeds and enables swarms to scale. Imagine what happens when all peers want to stream the content. Instead of having unique pieces to share with each other, all peers will want the same pieces in sequential order from the beginning of the stream. Peers will have little to share with each other, thus placing load back onto the seed. This makes BitTorrent little better than a simple client/server distribution network.
2. It attempts to hide the BitTorrent download process from the user. In a normal BitTorrent client, the user manually loads the .torrent metafile into the client to initiate the download, and has the option to modify a number of client settings to suit the user’s needs, including vital settings like upload bandwidth limits to suit the user’s ISP limitations. In BitTorrent DNA, however, the download initiation process is no longer placed in the user’s control, and the user is no longer able to modify the client’s settings. Rather, the BitTorrent DNA client opens up a local HTTP socket to respond to requests from Flash applications running on websites. Flash applications designed to use BitTorrent DNA tells it to start a BitTorrent download, not the user. Instead of the user determining when to enable a download to use his/her upload bandwidth, this control is placed in the hands of the content provider who makes the Flash application.
By the way, the title of this article is a bit misleading. BitTorrent DNA is not “vulnerable” to remote hijack. It is actually designed to permit these so-called “remote hijacks”. The whole point of BitTorrent DNA is to allow Flash applications to stream files over BitTorrent without user intervention. Using Flash to access BitTorrent DNA is not an exploit, it is the exact function that BitTorrent DNA seeks to provide.
Very informative and well written @ #15.
Thank you for that =)
#16 You are wrong, you can keep the sites limited by keep a list in the crossdomain.xml that is embedded into the “btdna.exe”. At this point it allows “*” which means any movie from any domain can unload any type of content onto your machine. The issue here is that BitTorrent, Inc. claims it to be secure, this alone is a major security issue as well as a privacy concern.
glitch, why do you think that it allows “*” in the first place? Do you really expect that users will manually configure each application to be used by BitTorrent DNA by editing an xml document? Or that BitTorrent Inc. push out a new version of BitTorrent DNA with an updated crossdomain.xml list everytime a new customer signs up to use their technology? If you can’t anticipate all domains that will use BitTorrent DNA to stream video, of course you would have to allow all domains.
To solve this security problem you would need to present users with a dialog box with the option to allow or reject each Flash application that uses BitTorrent DNA, as well as a way for BitTorrent DNA to verify and store digital signatures for accepted Flash applications, with the help of a Certificate Authority. So a secure solution exists, of course, but it is not as simply as editing the crossdomain.xml file.
Also, I don’t expect this solution to exist due to the nature of BitTorrent DNA. BitTorrent DNA is not designed for user control. It is designed for transparency, to utilize BitTorrent resources without the user even realizing it, so that Flash players that stream video over BitTorrent DNA look just like any other Flash player on the web. That’s why it runs as a daemon in the background, that’s why it doesn’t provide the user with a complex GUI and settings, and that’s why it won’t open up a dialog box asking user to approve each BitTorrent DNA-powered application.
[quote comment="254741"][quote comment="254637"]I don’t even use internet lol :D[/quote]
Yo ArAsh, if u don’t use the internet… Just how did you get to view this article?
BTDNA is a sweet idea, but like with all things, when it has just kicked ff it needs testing, and is in it’s ‘TWEAKING’ stage. I’d love to see this kind of this kind of thing working on YouTube. After the Glitches though.[/quote]
Have you ever heard of sense of humour?
Yeah, I used that to read this article :D
I miss when Bittorrent was open source, and you can fix the problems instead of complaining in utorrent forums which they removed my topic when I protested the closing of Bittorrents source.
Now the only option you have is to complain, complain, complain, Man I hate this.
I wish utorrent would go open source.
Free Download Manager did that, they were closed source, but changed to open source.
Mike Kotter werks for the man
use bitcomet
[quote comment="254720"]It’s a bit of a stretch to call streaming over BitTorrent a new technology. All it is, is a modification to one of the algorithms in the BitTorrent peer wire protocol. Normally, BitTorrent clients request rare pieces from other clients to ensure swarm health. In a streaming situation, the BitTorrent client requests pieces in a sequential order.
For an open source alternative to DNA, look no further than Azureus Vuze. When you choose to playback a video from the Vuze platform before the download is finished, the Azureus client immediately start to request pieces in sequential order. You can see this graphically in the Azureus piece information graph. The red arrows representing requested pieces shift from littered all over the piecemap to sequentially ordered from the beginning.
I’m not saying Vuze is perfect, of course. Even though Azureus is open source, the Vuze license agreement limits derivative works to some extent. And Vuze only enables playback before download completion for videos from the Vuze platform, you can’t do it for ordinary torrents.[/quote]
Java is for suckas!
1 references to this post
Pages: [1] 2 3 4 5 6 » Show All
Responses are closed
All remaining responses will continue to be archived. Use the TorrentFreak forums if you want to discuss something.