Is Bittorrent safe? A security pro’s take

While the legality of Bittorrent, or at least what people typically use Bittorrent for, is questionable, there’s another question. Is Bittorrent safe? Let’s dig into that question, with something more than unsubstantiated claims.

First things first

is Bittorrent safe
This certainly looks safe, but is it? It’s unclear whether the signature for verification is the torrent itself, or the file the torrent downloads.

“Is Bittorrent safe?” is really more than one question. One question is whether the file will harm your computer. The other question is whether you’ll get caught. The harm to your computer is the tougher question so I’m going to take that one first.

How to verify a file is safe

When an IT pro downloads a file, they have ways to make sure the file is safe. I’m not talking scanning the file with Norton Antivirus, or even uploading the file to Virustotal.

Software publishers who distribute files digitally will provide a signature that you can check to verify nobody tampered with the file. The signature uses an algorithm called SHA that runs through the whole file, performs some heavy math on every byte in the file, then outputs a long, cryptic string. It will look something like this:

588abae208b4c6cc70e711be46ad435b6bf97b37d1f8ae3aeb1e6475d2b22b74

Every signature is supposed to be unique. That means if I change one byte in a Windows ISO and then give it to you and try to pass it off as original, the signature will change, and you know I changed the file.

So if you can get the SHA signature from the original publisher, you’ve got half of what you need. To get the other half, right-click on the file in Windows Explorer, navigate to CRC-SHA, and pick SHA-1 or SHA-256. If either of those matches, the file is safe.

If you’ve got the SHA signature, there’s nothing inherently wrong with downloading a Windows ISO from Bittorrent rather than from the official Microsoft sources. I bet that’s not the answer you were expecting to hear from a stodgy middle-aged CISSP, was it?

What can go wrong to make Bittorrent not safe

The danger with Bittorrent has always been that someone could plant a malicious file in the download, then offer it up on Bittorrent and watch it proliferate. And while it’s much harder to plant a malicious file in an audio or video file than it is in software, it’s not impossible. Bugs in popular media players do turn up from time to time, and it’s more than theoretically possible to modify an audio or video file in such a way as to make a media player install malware.

Scanning the file with antivirus might work. But if the person doing the tampering knows what they’re doing, it won’t.

And of course, checking the SHA signature doesn’t help in this case. The SHA signature trick depends on knowing the SHA signature of an original, untampered copy. If you’re pirating a video game, you won’t know the SHA signature. The same goes for MP3 audio or MP4 video. The Torrent site probably provides a SHA signature with the link, but for all you know, that’s the signature of the tampered file. Or the signature of the torrent file, not the file you downloaded.

And the trouble here is I have no way to tell you how safe or unsafe it is. Some percentage of the files haven’t been altered at all and are perfectly safe to use. Some percentage have been tampered with, and your system may or may not be immune to it. And there’s no way for me to know what the percentages are. It’s unknown odds.

In the face of that, it’s my job to tell you to stay away.

That’s not what I meant. Will I get caught?

If, when you ask if Bittorrent is safe, you mean will you get caught, the answer is it depends. Bittorrent traffic isn’t hard to detect on the network. To some extent your ISP may look the other way. They know P2P is a major reason people buy Internet access, so they have some incentive to ignore it until someone complains.

But an IP address is right there in the Bittorrent traffic. So if I want to see if anyone is pirating my book, I can search the torrent sites for a phrase like “Optimizing Windows Farquhar pdf” and see what comes up. If a torrent comes up, I can fire it up in my own client to see who’s seeding it and who’s downloading it. In the case of a book about Windows published in 1999, I don’t imagine too many people are sharing it, but in the event someone is, I’ll have their IP address. And I can use a tool called WHOIS to find out who owns that IP address.

And at that point, I caught the person, if they’re using their home IP address. If they’re using a VPN, I can complain to the VPN provider, but if they’re doing it right, they aren’t storing the information to track the person down. If they’re not using a VPN, I can complain to their ISP. The ISP may hand over their identity, or they may handle it.

So from a standpoint of getting caught or not, using Bittorrent without a VPN isn’t very safe. It’s easy to track you down and everyone assumes you’re doing illegal stuff with it, even if you really are downloading public domain movies and Linux distributions. Using Bittorrent with a VPN can keep you from getting caught. But it doesn’t do anything about the safety of the files themselves. And downloading legal content with Bittorrent calls undue attention to yourself.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: