TrueCrypt Encryption Software Has Critical Security Flaws
By all accounts, there are still plenty of people who use TrueCrypt's software for encryption, even though its developers discontinued the project abruptly last May. More than five months after it was shut down, a community-led audit of the software didn't find any security backdoors. However, new research has uncovered two privilege vulnerabilities -- one of them "critical" -- that could affect Windows-based users of the freeware.
James Forshaw, an information security engineer and researcher with Google's Project Zero team -- which looks for zero-day exploits -- recently identified two vulnerabilities that were apparently missed by auditors with the Open Crypto Audit Project. Patches for both bugs were released over the weekend by VeraCrypt, an encryption provider whose solution is built with a forked version of TrueCrypt.
TrueCrypt has been used by, among others, David Miranda, the partner of journalist Glenn Greenwald, who was one of the first reporters to publish information provided by former security contractor Edward Snowden about widespread surveillance by the U.S. National Security Agency and its equivalent organization in the U.K., the Government Communications Headquarters. The freeware enables users to encrypt either some or all of the data stored on their devices.
Bugs Enabled Abuse of Privileges
After learning of Forshaw's discoveries, VeraCrypt on Saturday released fixes for two TrueCrypt vulnerabilities that could potentially affect users on Windows. One was a critical flaw identified as CVE-2015-7358; the other was dubbed CVE-2015-7359.
Both bugs enable local elevation of privileges on Windows, which could allow hackers to gain access to systems by hijacking processes for drive letter handling or by incorrect impersonation token handling.
The VeraCrypt release also fixed several other Windows bugs, including the display of some Unicode languages. In addition to Windows, TrueCrypt can be used on devices running Mac OS X, Linux, DragonFly BSD and Android.
"Even though my #truecrypt bugs weren't back doors it's clear that it was possible to sneak them past an audit," Forshaw noted Sunday in a tweet. The next day he tweeted that he did not mean to suggest that those bugs were intentionally put into TrueCrypt. "Just that no matter how much you audit, bugs can still sneak through," he said.
Not a Nail in TrueCrypt Coffin
Cybersecurity expert Bruce Schneier, a fellow at Harvard's Berkman Center for Internet and Society, echoed Forshaw's last comment. He told us that the latest bug discovery proves only that no one audit can uncover every possible flaw in a program.
However, he said that doesn't mean the latest findings should preclude the use of TrueCrypt. "Of course not," he said. "Everyone suspects everything, and no one knows anything," he said.
While Schneier said he has stopped using TrueCrypt, the alternatives for anyone who is concerned about the security of their stored data are "a whole bunch of mediocre choices." He said that people could either continue to use TrueCrypt, use the embedded encryption provided by either Microsoft or Apple, or opt for a follow-on-type offering like VeraCrypt or, his own current choice, BestCrypt.