For several years, TrueCrypt was the gold standard in PC disk decryption suites. That changed nearly 18 months ago, when the individuals who developed the software abruptly quit. The developers declared that the existing software was ““not secure as it may contain unfixed security issues,” provided a final version of the software to decrypt data, and shut the project down. This was all the more puzzling when two extensive security audits found no bugs of significance. As of today, that’s changed.
Security researcher James Forshaw found two critical bugs in the program that could compromise an end-user’s machine. While neither allowed an attacker backdoor access, the Register reports that both could have been used to install spyware to the host machine or record keystrokes. Either of these could’ve been sufficient to allow an attacker to capture the drive’s encryption key, depending on how good the end-users security practices were.
It’s not clear how these bugs slipped past the code audits performed over the past year, but it’s entirely possible that Forshaw and the original audit teams focused on different aspects of TrueCrypt. The second audit report, released earlier this year, states that: “the assorted AES implementations in both parallel and nonparallel XTS configurations were a particular point of focus.” Forshaw’s bugs, in contrast, both appear to be related to other aspects of the system. As Forshaw notes above, even audits don’t catch every bug.
These bugs have been patched in the fork of TrueCrypt, VeraCrypt, which patched both of themon September 26. Note that the current links to descriptions of each bug are 403’d, Forshaw typically waits a week to upload descriptions.
We’ll never know why TrueCrypt’s authors left the project. Clearly these bugs, while significant, can still be fixed without compromising the system. Equally clearly, VeraCrypt was able to solve them in short order, once Forshaw drew attention to them. What we do know, however, is that there’s now very good reason to move away from using TrueCrypt and towards one of the actively maintained forks or alternate solutions. TrueCrypt itself has now proven flawed enough to no longer be trustworthy.
If you’re curious about secure software, including full disk encryption, we covered the topicextensively earlier this year. VeraCrypt is currently the most-recommended alternative to TrueCrypt, but it’s far from the only option. Both OS X and Windows offer support for full-disk encryption — if you need an alternative to TrueCrypt, they do exist.