Google Researcher Uncovers Critical TrueCrypt Flaws
TrueCrypt is one of a few encryption options available for Windows – though TrueCrypt’s original developers no longer maintain it, many users still rely on the software to encrypt their hard drives. However, Google’s Project Zero team has recently uncovered two serious flaws in the system.
Project Zero team member James Forshaw discovered the flaws, which could allow for attackers to enact a full system compromise by “abusing drive letter handling”. Though quite serious, the security holes in TrueCrypt are hardly surprising – the original developers stopped maintaining the project in 2014, stating that “it may contain unfixed security issues” and warning all users to switch to BitLocker, instead. Despite these warnings, there are still many TrueCrypt users because it is one of the only free options available. BitLocker is not available on the Home versions of Windows installed on many consumer laptops by default; and most other programs require a paid license.
TrueCrypt’s code had previously been professionally audited for errors; but until Forshaw’s discovery, no high-severity security flaws had appeared. At this stage, it is difficult to know whether these flaws were purposely introduced; but they serve as a grim reminder that even professional security audits can miss critical bugs – the first TrueCrypt audit was undertaken by iSEC Partners and focused on the driver code. However, Forshaw stated on Twitter that “Windows drivers are complex beasts”, and that it’s difficult to entirely eliminate the possibility of flaws.
Because TrueCrypt’s original developers no longer maintain it, patches won’t be issued for its code. Instead they’ve been released for VeraCrypt, an open source program with TrueCrypt-based code that aims to expand and improve upon its predecessor – VeraCrypt 1.15, released Saturday, contains patches for the two vulnerabilities (CVE-2015-7358 and CVE-2015-735) as well as several other less serious bugs. Any users still utilizing TrueCrypt are strongly advised to switch to the latest version of VeraCrypt as soon as possible.