Is This TrueCrypt's Fatal Flaw?

Category: Security , Software

For many years, TrueCrypt was the gold standard in free encryption software. But in May 2014, the software’s developers abruptly quit, warning users of unspecified “security issues” in TrueCrypt. Security luminaries declared there was nothing wrong with the last version of TrueCrypt so it has remained in use. But now, there's a problem. A big one, in fact...

The Truth About Truecrypt

But certain security luminaries declared there was nothing wrong with the last version of TrueCrypt (v7.1a), so it has remained in use. See my article, TrueCrypt Is Dead, Long Live TrueCrypt, for the back story on this saga.

A crowdfunding campaign raised money to pay for a professional security audit of TrueCrypt, which completed in April 2015 and found no security holes. But now, two security vulnerabilities in TrueCrypt have been discovered, one of which is deemed serious. Here is what you need to know and do.

The flaws were discovered by James Forshaw, a member of Google’s Project Zero team which ferrets out zero-day vulnerabilities in all sorts of software. One of the flaws is not very useful to hackers, in Forshaw’s opinion. The other is much more serious.

TrueCrypt's Fatal Flaw

The less dangerous flaw, designated CVE-2015-7359, would allow any user of a shared computer to impersonate another user. The attacking user could unmount a victim’s TrueCrypt-encrypted virtual drive volume. But, as Forshaw writes,

“I don’t believe this is really a serious issue, as if you’re mounting encrypted volumes on shared machine and leaving them mounted I think you’ve got other problems.” In other words, people who do something this dumb have probably left several other, easier entries into their systems wide open.

The other flaw, CVE-2015-7358, is more serious. It could allow an attacker to gain administrative privileges on a machine even if its boot drive is fully encrypted by TrueCrypt. And if a user has administrative privileges, he or she can do anything on that computer, including installing malware.

Is Data Encrypted With TrueCrypt at Risk?

I've been reading that this flaw (even though it's serious and compromises the security and privacy of the affected computer) does NOT give the attacker the ability to decrypt a TrueCrypt volume.

But… what if the attacker was able to install a keylogger that loads before TrueCrypt’s authentication module, enabling the keylogger to capture the user’s TrueCrypt authentication key as it is typed? With that key, the attacker could do anything with the victim’s encrypted data.

I'm not certain this is doable, but it sounds like a realistic possibility. Given that, and the fact that these flaws are obviously not going to be fixed in the abandoned TrueCrypt program, my advice is this: If you are using TrueCrypt, you should switch to something else immediately. Even if the data you've encrypted with TrueCrypt is still 100% safe, you don't want software on your computer that has known security vulnerabilities.

Despite the confusion around the demise of TrueCrypt, Forshaw says he found no reason to believe that these new vulnerabilities were intentionally introduced into the TrueCrypt codebase before the project was abandoned. No evidence of a secret back-door was found in the independent audit of TrueCrypt, either.

Where Do We Go From Here?

Microsoft’s Bitlocker encryption scheme is one alternative. But Bitlocker is only found on Pro, Ultimate, and Enterprise editions of Windows Vista, 7, 8.1 and 10. It's not available to Windows Home edition users.

However, they can turn to a free spinoff of TrueCrypt called VeraCrypt, which has already been patched to close the holes discovered by Forshaw. VeraCrypt is able to convert your TrueCrypt volumes to VeraCrypt format, so there should be an easy transition.

Three lessons can be learned from the TrueCrypt saga. First, as I discussed in my article on TrueCrypt’s abandonment, developers of free software may very well quit supporting their products and creating new ones if users don’t support their efforts financially. Second, even professional security audits can miss flaws in complex software like TrueCrypt. Third, it is never a good idea to continue using orphaned software, particularly security software.

Your thoughts on this topic are welcome. Post your comment or question below...

 
Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 7 Oct 2015


For Fun: Buy Bob a Snickers.

Prev Article:
Is Microsoft Forcing Windows 10 on You?

The Top Twenty
Next Article:
Geekly Update - 08 October 2015

Most recent comments on "Is This TrueCrypt's Fatal Flaw?"

Posted by:

Michael D.
07 Oct 2015

Thank you for the vigilance, Bob. Was it intentional to give the same designation to both of the above mentioned flaws?


Posted by:

Bill
07 Oct 2015

There exists no encryption/security software that is truly safe. It just hasn't been compromised yet. The best security practice is to treat all e-communication as public. If you know everyone may see it, you will think twice before posting. Granted, this practice won't help people who need to communicate securely, but it will save the average person from potential embarrassment.


Posted by:

Tom Perkins
07 Oct 2015

Bob,
A timely article. I have adopted the John Connor (Terminator) approach of "living off the grid" with security info by keeping it on a TrueCrypt encrypted stick. I just returned from my first USB stick-only trip and discovered the demise of TrueCrypt when I tried to use it by downloading TrueCrypt to my son's MacPro laptop.
Bottomline. It looks like I should accept the old adage that "you get what you pay for" and switch to the Microsoft Bitlocker.


Posted by:

Mike
07 Oct 2015

Thanks Bob, for another inforamtive article
Mike


Posted by:

Lewis Locke
07 Oct 2015

I switched over to VeraCrypt as soon as I read the "Ask Leo" column yesterday.

While the switchover was relatively simple, I am really disgusted with the huge amount of time it takes for VeraCrypt to open my encrypted volume. I'm talking about routine waits of up to 15 minutes while the pop-up warns me that I need to be patient.

I'm going to try changing over to BitLocker, and hope it, too, won't be plagued with similar problems.


Posted by:

John Wafford
07 Oct 2015

I keep my encrypted data on a drive on a separate disk from that with my OS, and only mount that drive when I need to access those data. Would this leave me relatively safe from any hack?


Posted by:

intelligencia
07 Oct 2015

Hello Mr. Rankin and fellow Rankinites:

I simply LOVE VeraCrypt which I have been using since the middle of 2014.

VeraCrypt works just like TrueCrypt but think of VC as a real Enhanced version of TC!

For those using Linux Mint (vs. 17.2) and are unable to write (cut and Paste) files to the VC volume make sure of two things:

1. In the VeraCrypt tab settings>preferences> MOUNT OPTIONS ensure that the first box (“Mount volumes as read-only”) is un-ticked!

2. If you are running the anti-virus program, Clamtk, make sure that it is not running when you use VeraCrypt. For some reason there is a conflict between VeraCrypt and Clamtk and VC won't run when the latter is on.

For a while I did not know the reason I was unable to write to a VC volume. After a series of trial and error I was able to fix the issue on my own computer. I cannot guarantee that the advice given above will help with your particular situation as “your mileage may vary”.

Thank You All For Listening,

i


Posted by:

Robert Kemper
07 Oct 2015

Thanks Bob, for keeping us informed of another
security problem.


Posted by:

bb
08 Oct 2015

I won't be too quick to jump to VeraCrypt yet - yes they patched this vulnerability, but the patch caused other problems. Reportedly, some users can't delete folders from protected volumes. That bug should be fixed in v1.16 out soon.

Bottom line, I'm still sticking with TrueCrypt. If you have malware on your computer, you have bigger problems than a TrueCrypt privilege escalation.


Posted by:

IanG
08 Oct 2015

Presumably your sentence, Bob: "And if a user has administrative privileges, he or she can do anything on that computer, including installing malware" relates to installing a keylogger?

I run a shared computer - but only with my wife, who is computer illiterate. I only have about three folders encrypted with TrueCrypt, so I don't feel in the least bit threatened and will keep using TrueCrypt as long as I am capable.

Getting towards the end of my lifespan, I don't feel the need to make a change. After I'm gone, nobody will know my authentication code anyway, so a keylogger would be of no use whatsoever.


Posted by:

Bob Greene
08 Oct 2015

Bob, a response to your points 1, 2 and 3--
1. Financial support for developers always has been a problem. Therefore, many freeware developers adopt a hybrid business model offering a "premium" version, and that model seems to work
2. Professional security audits, like any audit, are subject to error. But risk of error with good professionals is relatively minor, and the professional audit has significant security value.
3. According to its security audit, True Crypt is still OK and not automatically risky. Any risk comes from careless use and/or the ever-present threat of keyloggers, as you note. The keylogger threat depends on how where and how well it is planted-- amateur users are not (usually) a rich target, but specific people in a "high security" environment can be extremely rich targets. Hence, the recent exploit against federal employee records.


Posted by:

DBA Steve
08 Oct 2015

The link to VeraCrypt in the article was flagged by Firefox as not having a valid certificate. I find that interesting.

I've used TrueCrypt for years (and years). While VeraCrypt sounds like a fair replacement, I gotta wonder about the certificate issue.


Posted by:

Bob Sanders
08 Oct 2015

Microsoft keeps your bitlocker key in your Onedrive account. How safe is your password there? I'm staying with VeraCrypt.

EDITOR'S NOTE: Not true, if you're using Bitlocker on a typical home computer or laptop. If you have a mobile device such as Surface or Windows Phone with "device encryption" turned on, then the key is stored in your OneDrive account. Is there a security risk associated with OneDrive that you know of?


Posted by:

Bob Sanders
09 Oct 2015

Not that I'm aware of, the biggest risk is with the password. I just am not completely trusting of Microsoft, however. I have more faith in VeraCrypt than MS.


Posted by:

intelligencia
09 Oct 2015

@DBA Steve:

The Veracrypt home page is back Online and the new version of VC (1.16) is Now Out:
https://veracrypt.codeplex.com/

Rest Easy,

i


Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! And please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are previewed, and may be edited before posting.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
RSS   Add to My Yahoo!   Feedburner Feed
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy -- See my profile on Google.


Article information: AskBobRankin -- Is This TrueCrypt's Fatal Flaw? (Posted: 7 Oct 2015)
Source: http://askbobrankin.com/is_this_truecrypts_fatal_flaw.html
Copyright © 2005 - Bob Rankin - All Rights Reserved