Kaspersky Internet Security has started describing Syncthing.exe as “Legitimate software that can be used by criminals to damage your computer or personal data”. I see that there were some posts about Kaspersky/malware warnings back in 2016/2017 but here Syncthing is being described as “legitimate software”.
Can someone here tell me how Syncthing can be “…misused by criminals…” and, if it can be misused, what I can do to prevent the misuse.
I’m putting this question to this Syncthing community rather than to Kaspersky because I assume that the community knows more about Syncthing than Kaspersky.
Kaspersky or AV vendors in general will advertize how “smart” their software is and how they integrate deep learning and AI to fight a cyber warfare on your behalf…and still flag legitimate software every other day.
Don’t think too much about it, neither did the AV devs
Just reach out to them and notify them about the false-positive.
Thanks for this rapid reply. So if I understand correctly Syncthing cannot be misused by criminals, right ?
Re. reaching out to the AV devs I need to be able to cite something authoritative from a senior Syncthing developer to the effect that it cannot be misused by criminals. Reassurance from a nobody like me is hardly likely to impress Kaspersky. It will simply be moused into their black hole.
The way this works is: You report it, they ignore it. More people report it too, they might stop ignoring and realize it’s a false positive. No authority involved in this.
Personal recommendation: Get rid of them. Also not Kaspersky specific, insert AV vendor of your choice and my recomendation stands.
My best guess would be, that in the default configuraiton, within the web GUI, Syncthing exposes your Syncthing-specific Device Identification hash fingerpint thingy (What am I officially supposed to call those in Syngthing without me giving a longwinded technical description? ), offers notifications of devices that want to add you, and the folders they want to share with you.
This could be used as a technique for social engineering (basically, deception of the human mind, rather than an attack on the computer itself) to trick naive users into accepting malicious or criminally-obtained files onto their machine.
Potential Defenses
Presumably there is a way to disable this feature, though I haven’t looked into it.
Other than that, you could use an ad-hoc WiFi network (basically mesh networking — connecting one computer directly to another without a router, or using a computer something of a temporary router or relay) or even a hardware router dedicated specifically to your local (and potentially remote as well) Syncthing devices, such that nobody else is able to see your device in order to offer to add theirs.
Most broadly, simply avoid accepting invitations unless you can confirm the device ID though another secure channel of communication.
Thanks very much for these useful leads. I’m very alert to social engineering attacks. What would the attacker’s approach be in this scenario ? Would I get an email suggesting I do something or would I find something odd when I fire up SyncTrayzor (which I use for administrating Syncthing) ?
Re. the ad-hoc network I hadn’t a clue what that is but Wikipedia wised me up in 90-120 seconds. Researching further, I see that What Is an Ad Hoc Wireless Network? says “…limitations of ad hoc wireless networking include the lack of security and a slow data rate. Ad hoc mode offers minimal security (What Are WEP and WPA? Which Is Best?); if attackers come within range of your ad hoc network, they won’t have any trouble connecting. …” so maybe I’ll steer clear of that solution until I know clearly what I am doing.
The attack vector for social engineering attacks targeting Syncthing is next to zero.
You’ll always have to accept new devices. If you didn’t intend to add a new device then don’t accept one.
Is that not mainly because Syncthing is not widely popular? In a sufficiently crowded environment, such as a theater or stadium, the attack surface (sheer population of nearby devices on the same public-WiFi LAN) would increase significantly. To stop that would require the ability to disable local discovery of your device by other Syncthing instances.
I’m afraid your reply resembles a tautology: as in,
if you refuse to succumb to social engineering then you won’t be susceptible to social engineering.
(If you’re wondering how social engineering could be inserted into Syncthing device pairing, consider that the device-name string can be customized by the attacker to be something the target user is expecting to see, or some misleading message able to affect the gullible.)
Social engineering cannot be prevented per se. You can only force user interaction and inform them about the consequences of an action. If people are very gullible and do everything the attacker tells them, you have no chance to prevent it.
And this is exactly how it is handled in Syncthing. Any action that could put your data at risk will result in a prompt for user interaction.
And again, all these AV companies are selling snake oil. They blather on about AI and machine learning while blocking regular applications and shitting the bed with real malware.
You hit the nail, problem with AV is it also introduces some nasty backdoors for your precious system. It is seen AV and anti-spyware actual are sources of black plague because they also have bugs which can be abused.
In Germany, Kaspersky has currently gotten something like a “hey user, do you trust it?” discussion. In my opinion our government is very cautious about this , okay , but Kaspersky was my first and best Antivirus back in the 2000’s so I at least remember a lot “good” about it on the other hand. ( Source in german from the BSI: BSI - Presse - BSI warnt vor dem Einsatz von Kaspersky-Virenschutzprodukten )
yes, that’s more generic talk and not so Syncthing specific
), offers notifications of devices that want to add you, and the folders they want to share with you.