TrueCrypt Passes Security Audit, Project’s Future Still Unclear
Last year, the developers of popular disk encryption software TrueCrypt, used by Edward Snowden and countless other privacy advocates, abruptly abandoned the project, stating,
“WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues”
The software’s mysterious death led to a storm of conspiracy theories, including the idea that TrueCrypt may contain an NSA backdoor. However, the results of a thorough, public security audit by the NCC Group have just arrived, showing no evidence of NSA backdoors. While this seems like good news for past TrueCrypt users, the future of the project is still unclear.
TrueCrypt’s Security Audit Still Leaves Many Questions Unanswered
Unlike many disk encryption utilities like BitLocker and FileVault, TrueCrypt is open source, allowing anyone to inspect the project’s code for vulnerabilities and backdoors. This makes it relatively easy for anyone with the technical knowledge to audit TrueCrypt’s security, as the NCC Group has done. NCC discovered four vulnerabilities in the now-abandoned software, none of which are particularly serious. To exploit the bugs, an attacker would most likely have to first compromise the target machine.
Matt Green, a cryptographer and research professor at Johns Hopkins University, wrote about the TrueCrypt audit in a recent blog post, stating,
“The TL;DR is that based on this audit, Truecrypt appears to be a relatively well-designed piece of crypto software. The NCC audit found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances.”
“Truecrypt is a really unique piece of software. The loss of Truecrypt’s developers is keenly felt by a number of people who rely on full disk encryption to protect their data. With luck, the code will be carried on by others. We’re hopeful that this review will provide some additional confidence in the code they’re starting with.”
While many, like Green, hope that other developers will fork the TrueCrypt project to keep it alive, TrueCrypt’s software license actually prohibits borrowing the source code to create new versions of the software. This means that developers will have to create a new encryption project from scratch, something that could take years. Interestingly, some developers have still forked TrueCrypt despite the potential legal consequences, creating projects like CipherShed and VeraCrypt.
While it doesn’t seem like there are any serious issues with TrueCrypt, it’s still entirely possible that the audit may have missed a fatal flaw, and using an abandoned security system is probably not the best idea anyway. The project’s page on SourceForge directs Windows users to use BitLocker – Microsoft’s built-in encryption utility that has been found to have been compromised by the CIA. For Mac users, OS X includes FileVault. FileVault isn’t known to have been compromised, but like BitLocker, FileVault is closed source. The software has been independently tested by many security researchers, but it’s still difficult to say with confidence that there are absolutely no vulnerabilities or backdoors without access to FileVault’s source code.
For now, other than TrueCrypt’s forks, there are few open source alternatives to TrueCrypt, all of which have mixed reviews from the security community.
Images from Shutterstock.