contributed articles DOI: 10.1145/1461928.1461962 We analyze the P2P security issues, BY M. ERIC JOHNSON, DAN MCGUIRE, AND NICHOLAS D. WILLEY establishing the vulnerabilities these software clients represent. Then we present experimental evidence of the risk through honey-pot experiments that expose both business and personal Why File financial information and track the re- sulting consequences. This analysis and experimental results clearly show the se- Sharing curity risk of P2P file sharing networks. Peer-to-Peer File Sharing Peer-to-peer file-sharing networks enable users to “publish” or “share” files – any Networks Are file from music to video to spreadsheets. P2P networks provide a ready-made sharing infrastructure that is difficult to block and even harder to track, providing cover for espionage and criminal activity. Dangerous? They encourage users to leave their com- puters on and connected to the internet at all times, running software that heav- PEER-TO-PEER (P2P) SOFTWARE CLIENTS have become ily uses their network, disk, and proces- sor. Recent legal battles being won by the part of the standard suite of PC applications for many content industry (RIAA/MPAA) seem to users. With millions of users worldwide sharing have done little to really reduce file shar- 15 ing, but have rather pushed users onto music, video, software, and pictures, file movement new clients and networks that are even on these networks represent a significant percentage harder to track. of internet traffic. Beyond the much discussed Peer-to-peer file sharing came of age during the dot.com boom and the rise of copyright infringement issues, P2P networks threaten Napster. Between its debut in 1999 and its both corporate and individual security. Our research eventual failure in 2001, Napster enabled tens of millions of users to easily share shows that confidential and potentially damaging MP3-formatted song files with each oth- documents have made their way onto these networks er. However, its success and failure paved and continue to do so. The research also shows that the way for many new P2P file-sharing networks such as Gnutella, FastTrack, e- criminals trawl P2P networks and opportunistically donkey, and Bittorrent, with related soft- exploit information that they find. ware clients such as Limewire, KaZaA, P2P file sharing represents a growing security threat Morpheus, eMule, and BearShare. This next breed of sharing systems has proven because of the evolution of these networks. Internet far more difficult to control and a much service providers (ISPs), firms, and copyright holders larger security threat. A number of firms and internet ser- have responded to the rise of P2P both technically vice providers (ISPs) block or throttle (site blocking, traffic filtering and content poisoning1 ) traffic associated with P2P systems us- and legally. These challenges have prompted P2P ing a simple, fast approach known as port filtering. In response, P2P clients developers to create decentralized, encrypted, responded by using ports associated anonymous networks that are difficult to track, are with other services (Web traffic, email traffic, among others) to exchange data. designed to accommodate large numbers of clients, The P2P traffic then blends in with oth- and are capable of transferring vast amounts of data. er traffic. Indeed, recent traffic studies 134 COMMUNICATIONS OF THE ACM | FEBRUARY 2009 | VOL. 52 | NO. 2 contributed articles suggest that P2P connections are now Figure 1. P2P Newtwork Usage distributed across all ports with con- centrations at a few preferred points.8 Today P2P traffic levels are still grow- ing, but no single powerhouse applica- tion is driving it.9 The aggregate num- bers suggest that usage between 2003 and 2007 more than doubled, from less than 4 million to nearly ten million si- multaneous users.10 This does not in- clude Bittorrent traffic, which is one of the most popular P2P applications for video and is more difficult to monitor. It also doesn’t include users on private networks. Private networks, sometimes called dark networks (or darknets), are typically accessed through invitations from other users. Such networks, like OinkMe, may include millions of users. rect users to move files to that folder. In ˲ Wizards designed to determine media Many users shift from network to net- normal operation, a P2P client simply folders. Some sharing clients come with work based on features and popularity. writes files to disk as it downloads them wizards that scan an individual’s com- For example, the FastTrack network (used and reads files from disk as it uploads puter and recommend folders contain- by KaZaA) has seen declines over the past them. There are several routes for con- ing media to share. If there is an MP3 three years while others like Gnutella fidential data to get on to the network: a or image file in a folder with important have grown (Figure 1). Semi-successful user accidentally shares folders contain- documents, that entire folder could be attempts by content holders to disrupt ing the information; a user stores music exposed by such a wizard. access, coupled with KaZaA developers’ and other data in the same folder that is ˲ Unaware or forgetful of what is stored efforts to increase revenue, quickly drove shared; a user downloads malware that, on the computer and may simply forget users to other networks, and even fos- when executed, exposes files; or the cli- about the letter they wrote to the bank, tered the creation of new networks. This ent software has bugs that result in un- or the documents they brought home suggests low barriers to entry for new file intentional sharing of file directories. from work. Similarly, teenagers using sharing systems and also suggests that Of course it is not necessary for a worm P2P may not know what their parents P2P networks serve a very mobile, well-in- or virus to expose personal or sensitive keep on the Desktop. formed user base that is willing to explore documents because many users will un- ˲ Poor Organization Habits – Certain new alternatives as they arise. knowingly expose these documents for people may not take the time to orga- With the constant introduction of many reasons: nize their files. MP3s, videos, letters, new file sharing systems, one might won- ˲ Misplaced file. If a file is dropped ac- papers, passwords, and family pictures der what is driving the innovation. While cidentally into the wrong folder. may all be kept in the same folder. there have been some astounding at- ˲ Confusing interface design. Users may tempts to sell the computational services be unaware of what folders are be- To illustrate the problem, we spent of the user network, the typical business ing shared or even that they are shar- a couple hours searching the Gnutella models of the software client developers ing files. For example, in a user study, network for sensitive personal docu- are fairly simple, either community-driv- Good and Krekelberg found that the ments; the resulting files we found en open source or advertising supported. KaZaA interface design contributed to should be disconcerting to users of P2P P2P may have once been exclusively user confusion over what files were be- networks: for the technologically elite, but today ing shared.4 ˲ Birth Certificate – 45 Results P2P adoption is widespread. One study ˲ Incentives to share a large number of ˲ Passport – 42 Results found that 27% of adult Americans admit files. Certain programs reward users ˲ Tax Return – 208 Results to sharing files from their computer with for making files available or uploading ˲ FAFSA – 114 Results others.11 Income, race, and sex seem to more files. Some users may believe they play little role in determining whether an can gain an advantage by sharing their The Free Application for Federal individual will engage in file sharing.12 entire hard drives. Student Aid (FAFSA) and the U.S. Gov- Age is by far the largest signal of an in- ˲ General laziness on the part of the ernment’s “EFILE” program both en- clination to share: Students are almost user. If a user has a folder such as “My courage individuals to complete forms twice as likely to share as non-students. Documents” with many media folders online. When these forms are complete inside, they may share My Documents and full of potentially harmful informa- P2P Security — How Does Sensitive rather than selecting each media fold- tion, applicants are asked to save a copy Information Get Exposed? er individually to share, thus exposing for their records. Similarly, those who Current P2P clients allow users to share all the other types of documents and are worried about credit scores often items in a particular folder and often di- folders contained within. visit sites such as freecreditreport.com FEBRUARY 2009 | VOL. 52 | NO. 2 | COMMUNICATIONS OF THE ACM 135 contributed articles and annualcreditreport.com which, af- rity breeches that depend on human that run in the background and while ter asking several questions, return the intervention, abetted by a carelessness the user is not at the computer.3 This customer a pdf file with their credit his- or lack of proper security education suggests that the user is not carefully tory. These types of files leak out onto among users. The remedies are also tracking the activities of the P2P cli- the P2P networks because of their in- similar: user education, proper controls ent, increasing the opportunity for herent digital nature. on corporate information, site blocking, abuse. Further, even benign file shar- We downloaded a selection of these periodic tests, and P2P network moni- ing programs consume significant pro- files and verified that they were indeed toring. We believe that the vast major- cessor time and network bandwidth, real. We observed one particular indi- ity of information leaks are the result of conditioning the P2P user to tolerate vidual who was sharing a scanned copy accidentally shared data rather than the sluggish performance that, for others, of his passport.