“Our general conclusion is that TrueCrypt is safer than previous examinations suggest,” wrote professor Eric Bodden in a blog post announcing the study.
TrueCrypt was discontinued in the summer of 2014 — the developers said they didn’t want to maintain a standard with “unfixed security issues.” It’s still not clear exactly what those vulnerabilities were — they were never announced, in part to protect the project’s millions of users. Security researcher James Forshaw did find two flaws in September that could be used to compromise a machine (though not decrypt an encrypted hard drive), but it’s possible the vulnerability that led to the project being abandoned is something else entirely.
Whatever the problem is, the Fraunhofer Institute didn’t find anything they deemed a critical flaw during their six-month study — though they did state that encryption can’t solve all security concerns.
“From a security perspective, the fact that TrueCrypt is a purely software solution means that it cannot in principle protect against all relevant threats,” says the study.
Bodden added to this point in his blog post.
“It does not seem apparent to many people that TrueCrypt is inherently not suitable to protect encrypted data against attackers who can repeatedly access the running system,” wrote Bodden, adding that “TrueCrypt seems not better or worse than its alternatives” so far as encrypting data is concerned.
Basically, if someone already has access to your system in some way — be it physical access to the machine while it’s running, or the installation of Trojan horse malware — encryption of any kind won’t help. Keyloggers can be installed, and files can be accessed by malware while the user is accessing an encrypted drive — no encryption can prevent that. Encryption does, however, make it hard for someone who steals your hard drive to access the data on it.
Whatever flaw prompted the TrueCrypt developers to abandon the project — and even advise developers to not fork it — may not have shown up in any study, but it’s becoming harder to imagine what that flaw might be. A fork of the software, called VeraCrypt, includes patches for every bug that’s been found so far.
Editors' Recommendations
- Windows 12 might not be coming this year after all
- This might be why the RTX 4090 is getting so expensive
- Good news — Nvidia’s RTX 4070 might not be a lost cause after all
- All-day battery life and ANC are about to become standard true wireless features
- GameStop shows it’s not so essential after all, moves to digital-only orders
