1. Home >
  2. Internet & Security

Critical TrueCrypt security bugs finally found

A new security report indicates that there are deep flaws buried in TrueCrypt's source code. If you still use the program, it's time to find a different solution.
By Joel Hruska
Encrypt

For several years, TrueCrypt was the gold standard in PC disk decryption suites. That changed nearly 18 months ago, when the individuals who developed the software abruptly quit. The developers declared that the existing software was "“not secure as it may contain unfixed security issues," provided a final version of the software to decrypt data, and shut the project down. This was all the more puzzling when two extensive security audits found no bugs of significance. As of today, that's changed.

Security researcher James Forshaw found two critical bugs in the program that could compromise an end-user's machine. While neither allowed an attacker backdoor access, the Register reports that both could have been used to install spyware to the host machine or record keystrokes. Either of these could've been sufficient to allow an attacker to capture the drive's encryption key, depending on how good the end-users security practices were.

ForshawTwitter

It's not clear how these bugs slipped past the code audits performed over the past year, but it's entirely possible that Forshaw and the original audit teams focused on different aspects of TrueCrypt. The second audit report, released earlier this year, states that: "the assorted AES implementations in both parallel and nonparallel XTS configurations were a particular point of focus." Forshaw's bugs, in contrast, both appear to be related to other aspects of the system. As Forshaw notes above, even audits don't catch every bug.

These bugs have been patched in the fork of TrueCrypt, VeraCrypt, which patched both of them(Opens in a new window) on September 26. Note that the current links to descriptions of each bug are 403'd, Forshaw typically waits a week to upload descriptions.

We'll never know why TrueCrypt's authors left the project. Clearly these bugs, while significant, can still be fixed without compromising the system. Equally clearly, VeraCrypt was able to solve them in short order, once Forshaw drew attention to them. What we do know, however, is that there's now very good reason to move away from using TrueCrypt and towards one of the actively maintained forks or alternate solutions. TrueCrypt itself has now proven flawed enough to no longer be trustworthy.

If you're curious about secure software, including full disk encryption, we covered the topic extensively earlier this year. VeraCrypt is currently the most-recommended alternative to TrueCrypt, but it's far from the only option. Both OS X and Windows offer support for full-disk encryption -- if you need an alternative to TrueCrypt, they do exist.

Tagged In

Bugs Snowden VeraCrypt Security Full Disk Encryption

More from Internet & Security

A screenshot of Synthesia's "Expressive Avatar" builder tool.
Nvidia-backed AI Firm Launches Lifelike Avatars for Enterprise Users
By Adrianna Nine
Three examples of deepfakes created by VASA-1.
Microsoft Swears VASA-1 Deepfake Tool Isn't for Creating Deepfakes
By Adrianna Nine
Examples of posts with Meta's "Made with AI" label on them.
Meta Will Begin Labeling AI-Generated Content. Is It Enough to Combat Misinformation?
By Adrianna Nine
Close-up of the YouTube listing in the iPadOS App Store.
YouTube Cracks Down on Third-Party Media Players That Block Ads
By Adrianna Nine
Someone typing on a computer keyboard.
US Cybersecurity Agency Will Review Malware Samples Sent by the Public
By Adrianna Nine
Subscribe Today to get the latest ExtremeTech news delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of use(Opens in a new window) and Privacy Policy. You may unsubscribe from the newsletter at any time.
Thanks for Signing Up