Security Experts:

TrueCrypt Is Not Secure, Developers Warn

TrueCrypt is not safe to use since it might contain unfixed security issues, warns a message apparently coming from the developers of the encryption software.

In October 2013, following rumors of the NSA’s attempts to undermine encryption software, Kenneth White, principal scientist at BAO Systems, and Matthew Green, cryptographer and research professor at Johns Hopkins University, announced their intention to audit TrueCrypt.

They managed to raise more than $70,000 for the project and in April they announced completion of phase one of the audit. In the first report, iSEC Partners, the company tasked with reviewing the software, revealed finding a total of eleven security issues, but they did not find any malicious code or backdoors.

While after the first phase of the audit it appeared that TrueCrypt could turn out to be secure, on Wednesday, visitors of truecrypt.org were redirected to a SourceForge page containing the following message: WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues.

The SourceForge page has been apparently set up to help users migrate existing data encrypted with TrueCrypt to BitLocker, the full disk encryption feature included in Windows Vista, Windows 7 and Windows 8.

No details have been provided regarding the security issues mentioned in the warning message. However, the decision appears to have something to do with the end of support for Windows XP.

“The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms. You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform,” TrueCrypt’s anonymous developers noted.

Initially, many thought that this might be a hoax, that the TrueCrypt website might have been hacked. However, as Reddit users highlight, TrueCrypt 7.2, released on May 27, is signed with valid keys, and the binaries suggest that it was built on the same developer computer as the previous version, 7.1a. The fact that the latest release only allows users to decrypt data and not create new volumes also suggests that the announcement is legitimate.

Green has attempted to contact TrueCrypt developers but so far he hasn’t heard back from them. There are several scenarios that he and others think could have led to this. One theory, which Green says is unlikely, is that hackers identified the TrueCrypt developers, stole their signing keys and breached their website. Another possibility is that the TrueCrypt signing keys have been stolen, or that the developers have been identified, and this is their response to the situation, Green said.

Reddit users also suggest that the NSA might have pressured the developers into shutting down the project and convince people to switch to new encryption software, one that might contain backdoors approved by the intelligence agency.

Green told security blogger Brian Krebs that he plans on completing the TrueCrypt audit, especially since he still has $30,000 of the money he raised for the project. The expert believes that the developers of TrueCrypt could have allowed other people to continue their work, but their actions make this task difficult.

Early Thursday, a Tweet from the @OpenCryptoAudit account stated: "We will be making an announcement later today on the TrueCrypt audit and our work ahead."