Connect with us

Hi, what are you looking for?



TrueCrypt Provides Good Data Protection: Audit

A recent security audit has shown that while TrueCrypt is plagued by some vulnerabilities, the product is efficient when it comes to protecting data, particularly in cases where an encrypted disk is lost or stolen.

A recent security audit has shown that while TrueCrypt is plagued by some vulnerabilities, the product is efficient when it comes to protecting data, particularly in cases where an encrypted disk is lost or stolen.

TrueCrypt, a popular open source file and disk encryption software, was discontinued in May 2014 by its anonymous developers who warned users that the product was not secure and advised them to migrate to other solutions. While there are some promising forks, such as VeraCrypt and CipherShed, the original TrueCrypt is still used by many, especially since there is no evidence that its encryption can be easily cracked.

Several months before it was discontinued, the Open Crypto Audit Project (OCAP) announced its intention to conduct a comprehensive audit and cryptanalysis of TrueCrypt. The audit was completed in April 2015 and while researchers found some weaknesses, they had not identified any backdoors or serious design flaws.

Some security issues related to the Windows driver code used by TrueCrypt were disclosed in October by researchers at Google’s Project Zero. However, experts noted at the time that the flaws don’t have a direct impact on the security of encrypted drive volumes at rest.

New TrueCrypt Audit by German Government

The latest TrueCrypt audit was conducted over a six-month period by the Fraunhofer Institute for Secure Information Technology (SIT) on behalf of the German Federal Office for Information Security (BSI). Researchers performed a thorough analysis of the last full version of TrueCrypt, 7.1a, and determined that the product is “safer than previous examinations suggest.”

German experts targeted the encryption mechanism, source code vulnerabilities, the quality of the code and documentation, and the program’s design and architecture. The findings of the OCAP report have also been analyzed to determine if any of the identified issues pose a serious threat.

Advertisement. Scroll to continue reading.

Auditors noted that there are some quality issues related to TrueCrypt documentation and maintainability. From a security standpoint, experts found that the application of cryptography is not optimal.

“The AES implementation is not timing-resistant, key files are not used in a cryptographically secure way and the integrity of volume headers is not properly protected. There are many redundant implementations (sometimes for hardware-optimization) and disused algorithms are still present in a deactivated form in the source code,” the BSI report reads.

Despite these issues, TrueCrypt is good for protecting data at rest — i.e., files stored on an unmounted hard drive or a USB flash drive. TrueCrypt is not very good for protecting data against attacks in which the attackers have privileged access to a running system, but this risk has been known and documented by the original developers.

In the case of the driver vulnerabilities discovered by Project Zero, an attacker would need to gain remote or direct access to the targeted system in order to exploit the weaknesses, researchers noted.

The OCAP report highlights that TrueCrypt is plagued by several buffer overflow vulnerabilities. However, tests conducted by Fraunhofer SIT researchers have demonstrated that these flaws cannot be exploited.

“In conclusion, I would say that the TrueCrypt code base is probably alright for the most parts. The flaws we found were minor, and similar flaws can occur also in any other implementation of cryptographic functions. In that sense TrueCrypt seems not better or worse than its alternatives,” explained Eric Bodden, one of the researchers involved in the TrueCrypt audit. “Code quality could be improved, though, as there are some places that call for a refactoring and certainly for better documentation. But generally the software does what it was designed for.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Microsoft’s security patching machine hummed into overdrive Tuesday with the release of fixes for at least 97 documented software vulnerabilities, including a zero-day that’s...

Application Security

Vulnerability researchers at Google Project Zero are calling attention to the ongoing “patch-gap” problem in the Android ecosystem, warning that downstream vendors continue to...

Application Security

Malware hunters at Microsoft are calling attention to a nasty macOS malware family that has evolved quickly from a basic information-gathering trojan to a...

Application Security

Cybersecurity powerhouse Palo Alto Networks on Thursday announced plans to spend $195 million in cash to acquire Israeli startup Cider Security, a deal that...