BitTorrent DNA Vulnerable to Remote Hijack
BitTorrent DNA is used for p2p streaming of online videos. It works like this; the user who wants to watch a stream has to install the BitTorrent DNA application, which is also bundled with the BitTorrent mainline client. When the user plays a BitTorrent accelerated stream it will not only download data, but also upload it to other people who are watching the same stream, similar to a regular BitTorrent download.
It turns out that the DNA application is almost identical to uTorrent. “All of the resources are there, dialogs, icons, etc. It is a full blown µTorrent client that just doesn’t display it’s User Interface” writes Wefixedtheglitch, who reverse engineered the application.
The algorithm has changed a bit of course. Pieces are no longer picked at random because this doesn’t work for streaming, so it has to start with getting the first bits, first. Another difference between uTorrent and DNA is that the latter has a built in webserver. This server is used to stream media from localhost or 127.0.0.1, but also introduces some vulnerabilities.
Wefixedtheglitch reports: “It is not impossible for ANY website to hijack and offload content onto your “btdna.exe” process. I consider this risk as “HIGH” and do not recommend users to have the “btdna.exe” software installed on their systems due to these risks, especially if your ISP limits/charges you for bandwidth overages.”
This report contradicts an earlier statement from BitTorrent Inc. CEO Ashwin Navin, who told TorrentFreak: “BitTorrent DNA only accelerates content that a user clicks on. It does not anticipate user wants, or pre-load a user’s PC with content they did not explicitly ask for (via an HTTP request from a webpage).”
One thing is for sure, BitTorrent DNA isn’t perfect yet. Several users reported that it slows down their web-browsers, with Linksys router owners being particularly affected. We have contacted the BitTorrent team about this slowdown issue before and they told us that they are working on a fix. I have no doubt that they will also address the security issues if there are any, but for now I think it is better to uninstall the application when you don’t need it.
DNA automatically starts with Windows, and has to be uninstalled separately from the mainline client. It is pretty well hidden and many users probably don’t even know that btdna.exe is running, as its only noticeable when the Windows task manager is opened.
We contacted BitTorrent Inc., but they haven’t responded so far. Stay tuned.