In this article, you will learn why using BitTorrent is a privacy and security disaster and what torrent download risks there are in terms of legality, malware and cyber attacks.
BitTorrent is one of the most popular protocols for transferring large downloads like video files, games, music and software. Due to the nature of such big downloads, they accounted for 43-70% of all internet traffic in 2009. Since then things have changed. Netflix, Youtube and Amazon Video now stream very big video files with up to 4k resolution, so BitTorrent’s share has shrunk quite a bit. A lot of people use VPNs to download torrents specifically and most people believe that it is almost completely safe.
When we are talking about torrents, it is important to point out that aside from perfectly legal downloads, there is an infinite number of torrents that download pirated software. We strongly advise you to stay away from those. In many jurisdictions, downloading (leeching) pirated digital goods is not really a serious misdemeanour (fines <1000$). Uploading (seeding) on the other hand leads to much more serious consequences and you always upload automatically when using torrents.
Let us now talk about torrent download risks for you personally, the user. Torrenting over a VPN is not entirely safe and not recommended. You are not always anonymous, since popular torrent clients like μTorrent, BitTorrent (client) and Vuze are known for DNS leaks that make your real IP address visible.Not even a VPN protects you from this, since it is an issue in the software, which runs on your machine and is independent from your VPN. In μTorrent specifically, the issue is DNS rebinding and allows adversaries to remotely execute code on your machine.
The hack is performed by abusing μTorrent’s remote control feature. This was revealed in a report from the Google security researcher Tavis Ormandy, who discovered the issue.
Despite all of this, μTorrent still had a market share of 65% in 2015 and the BitTorrent client had 12%.
If you have to download files with BitTorrent, please use safer open-source alternatives, such as qBittorrent and Deluge. These two and especially qBittorrent are focused on privacy. qBittorrent even offers an encrypted connection for both “leeching” (download) and “seeding” (upload). Out of these two, just choose the one whose GUI is your thing. Unfortunately, even with safe clients there is still the problem that you cannot know for sure whether the VPN provider really takes the “no logs” policy seriously. If they do not, they are in possession of detailed evidence of the things you have downloaded.
Another thing you should not fall for are private trackers. In contrast to public trackers, they are not listed on a website, which means that you need an invitation or membership to download them. They have no added security and even worse, some websites require you to register with your email address.
If you have to download torrents, we would advise you to use trackerless torrents. In contrast to private trackers, trackerless torrents are actually useful.
A tracker is a special type of server that knows where the files you want to download reside. In particular, they know on which peer machines it can be found and if they are available. Those trackers could identify you, because you connect to them before the P2P transfer starts.
An alternative are distributed hash tables (DHTs). A DHT allows you to exchange files like music and software directly, without a torrent file. That is possible, because the needed information is stored within the P2P network’s connected nodes, instead of on a tracker server. That is why it is called a “distributed” hash table, it is not stored in one specific location, but across many computers that host a fraction of it.
With this system, you can exchange files with peers by directly connecting to them. The exchange can be performed using the BitTorrent protocol, there is really no need for a torrent file. This is great, since torrent files contain metadata. Torrent files are essentially a text file that tells you which files are being shared and which trackers track seeds and peers.
To make it even more secure, you should use an open-source BitTorrent client. We especially like qBittorrent for its privacy features. The client supports distributed hash table (DHT), peer exchange protocol (PEX) and local peer discovery.
That means that you can use the trackerless torrents described above and the distributed tracking system of BitTorrent. We therefore suggest that you use qBittorrent if you cannot avoid torrenting. PEX and LSD are systems that further help you gather peers in addition to DHT, so you always have enough peers for the transfer to continue.
Here, we will list hacking-related torrent download risks.
When you use BitTorrent, you download (leech) and upload data (seed) at the same time to keep the files accessible for many users. Due to the way seeding is implemented, the machines of users that are running BitTorrent can be abused for attacks. The type we will talk about now is a DDoS Amplification attack, which is otherwise often done with the Network Time Protocol (NTP). To learn more about that, visit our post “Cyber Attacks, Exploits, Defences (short list)“.
Just like the NTP, the torrent client software can be manipulated to amplify and reflect incoming traffic. After that, a large amount of data is sent back. Therefore, it is possible to launch very strong DDoS attacks, because an attacker can start a normal-sized DDoS attack, but then reflect it from a group of BitTorrent users to the target. This amplifies the amount of requests and data, so it can be abused to bring down fairly large server targets.
The technical term for such an attack type is distributed reflective denial-of-service (DRDoS) attack and abuses the specific technology of the protocol that BitTorrent uses. This relatively new type of attack was discovered by security researcher from the City University London and the THM Friedberg.
We hope to have informed you sufficiently about torrent download risks. If you do not want to listen to use and still download torrents, please make sure that you use a secure BitTorrent client. Never trust μTorrent or Vuze. Ideally, use safer open-source alternatives, such as qBittorrent and Deluge. These two and especially qBittorrent are focused on privacy. qBittorrent even offers an encrypted connection for both “leeching” (download) and “seeding” (upload). Out of these two, just choose the one whose GUI is your thing. Unfortunately, even with safe clients there is still the problem that you cannot know for sure whether the VPN provider really takes the “no logs” policy seriously. If they do not, they are in possession of detailed evidence of the things you have downloaded.
You still always want to use a VPN. To learn everything about how this can protect you, please read our VPN guide. We also have an article on the best free VPNs for you to check out.
Please always take the time to prepare yourself if you ever need to use BitTorrent. We have found two websites that could be of assistance to you. One is from Best BitTorrent VPN and explains the absolute minimum of privacy measures. The other one comes from VPN University and talks specifically about DNS leaks. The latter helps you avoid revealing your IP address effectively.