Is This TrueCrypt's Fatal Flaw?
For many years, TrueCrypt was the gold standard in free encryption software. But in May 2014, the software’s developers abruptly quit, warning users of unspecified “security issues” in TrueCrypt. Security luminaries declared there was nothing wrong with the last version of TrueCrypt so it has remained in use. But now, there's a problem. A big one, in fact...
The Truth About Truecrypt
But certain security luminaries declared there was nothing wrong with the last version of TrueCrypt (v7.1a), so it has remained in use. See my article, TrueCrypt Is Dead, Long Live TrueCrypt, for the back story on this saga.
A crowdfunding campaign raised money to pay for a professional security audit of TrueCrypt, which completed in April 2015 and found no security holes. But now, two security vulnerabilities in TrueCrypt have been discovered, one of which is deemed serious. Here is what you need to know and do.
The flaws were discovered by James Forshaw, a member of Google’s Project Zero team which ferrets out zero-day vulnerabilities in all sorts of software. One of the flaws is not very useful to hackers, in Forshaw’s opinion. The other is much more serious.
The less dangerous flaw, designated CVE-2015-7359, would allow any user of a shared computer to impersonate another user. The attacking user could unmount a victim’s TrueCrypt-encrypted virtual drive volume. But, as Forshaw writes,
“I don’t believe this is really a serious issue, as if you’re mounting encrypted volumes on shared machine and leaving them mounted I think you’ve got other problems.” In other words, people who do something this dumb have probably left several other, easier entries into their systems wide open.
The other flaw, CVE-2015-7358, is more serious. It could allow an attacker to gain administrative privileges on a machine even if its boot drive is fully encrypted by TrueCrypt. And if a user has administrative privileges, he or she can do anything on that computer, including installing malware.
Is Data Encrypted With TrueCrypt at Risk?
I've been reading that this flaw (even though it's serious and compromises the security and privacy of the affected computer) does NOT give the attacker the ability to decrypt a TrueCrypt volume.
But… what if the attacker was able to install a keylogger that loads before TrueCrypt’s authentication module, enabling the keylogger to capture the user’s TrueCrypt authentication key as it is typed? With that key, the attacker could do anything with the victim’s encrypted data.
I'm not certain this is doable, but it sounds like a realistic possibility. Given that, and the fact that these flaws are obviously not going to be fixed in the abandoned TrueCrypt program, my advice is this: If you are using TrueCrypt, you should switch to something else immediately. Even if the data you've encrypted with TrueCrypt is still 100% safe, you don't want software on your computer that has known security vulnerabilities.
Despite the confusion around the demise of TrueCrypt, Forshaw says he found no reason to believe that these new vulnerabilities were intentionally introduced into the TrueCrypt codebase before the project was abandoned. No evidence of a secret back-door was found in the independent audit of TrueCrypt, either.
Where Do We Go From Here?
Microsoft’s Bitlocker encryption scheme is one alternative. But Bitlocker is only found on Pro, Ultimate, and Enterprise editions of Windows Vista, 7, 8.1 and 10. It's not available to Windows Home edition users.
However, they can turn to a free spinoff of TrueCrypt called VeraCrypt, which has already been patched to close the holes discovered by Forshaw. VeraCrypt is able to convert your TrueCrypt volumes to VeraCrypt format, so there should be an easy transition.
Three lessons can be learned from the TrueCrypt saga. First, as I discussed in my article on TrueCrypt’s abandonment, developers of free software may very well quit supporting their products and creating new ones if users don’t support their efforts financially. Second, even professional security audits can miss flaws in complex software like TrueCrypt. Third, it is never a good idea to continue using orphaned software, particularly security software.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 7 Oct 2015
|For Fun: Buy Bob a Snickers.|
Is Microsoft Forcing Windows 10 on You?
The Top Twenty
Geekly Update - 08 October 2015
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005
- Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Is This TrueCrypt's Fatal Flaw? (Posted: 7 Oct 2015)
Copyright © 2005 - Bob Rankin - All Rights Reserved