Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

TrueCrypt Is Not Secure, Developers Warn

TrueCrypt is not safe to use since it might contain unfixed security issues, warns a message apparently coming from the developers of the encryption software.

TrueCrypt is not safe to use since it might contain unfixed security issues, warns a message apparently coming from the developers of the encryption software.

In October 2013, following rumors of the NSA’s attempts to undermine encryption software, Kenneth White, principal scientist at BAO Systems, and Matthew Green, cryptographer and research professor at Johns Hopkins University, announced their intention to audit TrueCrypt.

They managed to raise more than $70,000 for the project and in April they announced completion of phase one of the audit. In the first report, iSEC Partners, the company tasked with reviewing the software, revealed finding a total of eleven security issues, but they did not find any malicious code or backdoors.

While after the first phase of the audit it appeared that TrueCrypt could turn out to be secure, on Wednesday, visitors of truecrypt.org were redirected to a SourceForge page containing the following message: WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues.

The SourceForge page has been apparently set up to help users migrate existing data encrypted with TrueCrypt to BitLocker, the full disk encryption feature included in Windows Vista, Windows 7 and Windows 8.

No details have been provided regarding the security issues mentioned in the warning message. However, the decision appears to have something to do with the end of support for Windows XP.

“The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms. You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform,” TrueCrypt’s anonymous developers noted.

Initially, many thought that this might be a hoax, that the TrueCrypt website might have been hacked. However, as Reddit users highlight, TrueCrypt 7.2, released on May 27, is signed with valid keys, and the binaries suggest that it was built on the same developer computer as the previous version, 7.1a. The fact that the latest release only allows users to decrypt data and not create new volumes also suggests that the announcement is legitimate.

Green has attempted to contact TrueCrypt developers but so far he hasn’t heard back from them. There are several scenarios that he and others think could have led to this. One theory, which Green says is unlikely, is that hackers identified the TrueCrypt developers, stole their signing keys and breached their website. Another possibility is that the TrueCrypt signing keys have been stolen, or that the developers have been identified, and this is their response to the situation, Green said.

Reddit users also suggest that the NSA might have pressured the developers into shutting down the project and convince people to switch to new encryption software, one that might contain backdoors approved by the intelligence agency.

Green told security blogger Brian Krebs that he plans on completing the TrueCrypt audit, especially since he still has $30,000 of the money he raised for the project. The expert believes that the developers of TrueCrypt could have allowed other people to continue their work, but their actions make this task difficult.

Early Thursday, a Tweet from the @OpenCryptoAudit account stated: “We will be making an announcement later today on the TrueCrypt audit and our work ahead.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Ransomware

US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Ransomware

The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.