Skip to main content
  1. Home
  2. Computing
  3. News

Why TrueCrypt might not be so insecure after all

Add as a preferred source on Google

Reports of TrueCrypt’s flaws were greatly exagerated, if a 77-page report coming out of Germany’s Fraunhofer Institute is anything to go by. The intensive six-month study concludes that the encryption software is nowhere near as insecure as reported back in 2014.

“Our general conclusion is that TrueCrypt is safer than previous examinations suggest,” wrote professor Eric Bodden in a blog post announcing the study.

Recommended Videos

TrueCrypt was discontinued in the summer of 2014 — the developers said they didn’t want to maintain a standard with “unfixed security issues.” It’s still not clear exactly what those vulnerabilities were — they were never announced, in part to protect the project’s millions of users. Security researcher James Forshaw did find two flaws in September that could be used to compromise a machine (though not decrypt an encrypted hard drive), but it’s possible the vulnerability that led to the project being abandoned is something else entirely.

Whatever the problem is, the Fraunhofer Institute didn’t find anything they deemed a critical flaw during their six-month study — though they did state that encryption can’t solve all security concerns.

“From a security perspective, the fact that TrueCrypt is a purely software solution means that it cannot in principle protect against all relevant threats,” says the study.

Bodden added to this point in his blog post.

“It does not seem apparent to many people that TrueCrypt is inherently not suitable to protect encrypted data against attackers who can repeatedly access the running system,” wrote Bodden, adding that “TrueCrypt seems not better or worse than its alternatives” so far as encrypting data is concerned.

Basically, if someone already has access to your system in some way — be it physical access to the machine while it’s running, or the installation of Trojan horse malware — encryption of any kind won’t help. Keyloggers can be installed, and files can be accessed by malware while the user is accessing an encrypted drive — no encryption can prevent that. Encryption does, however, make it hard for someone who steals your hard drive to access the data on it.

Whatever flaw prompted the TrueCrypt developers to abandon the project — and even advise developers to not fork it — may not have shown up in any study, but it’s becoming harder to imagine what that flaw might be. A fork of the software, called VeraCrypt, includes patches for every bug that’s been found so far.

Justin Pot
Justin's always had a passion for trying out new software, asking questions, and explaining things – tech journalism is the…
Amazon wants to design in-house chips for Kindles, Fire TV, and Echo speakers
Apple did it first. Amazon is doing it now, starting with 40 million chips a year and a partner most people have never heard of.
Amazon Kindle Scribe dark mode featured image.

Apple's decision to design its own chips reshaped the consumer electronics industry. Amazon may be about to make the same call, just about two decades later.

Supply chain analyst Ming-Chi Kuo reports that Amazon is preparing to shift away from externally sourced processors for its consumer electronics lineup, marking what he describes as the company's first major processor procurement change in 20 years. The transition is expected to begin in 2027.

Read more
AI wants to summarize it all. TripAdvisor’s misleading reviews show AI will also ruin your travel plans
Spotless, friendly, and totally wrong. AI summaries are hiding the reviews that actually matter.
Tripadvisor logo on MacBook

Planning a trip is stressful enough without wondering if the glowing hotel summary you just read was written by an AI that skipped the scary parts. As it turns out, that might be exactly what's happening on TripAdvisor.

According to an investigation by consumer group Which?, reported by the Guardian, TripAdvisor's AI-generated review summaries are smoothing over serious guest complaints, and in some cases, downright dangerous ones.

Read more
Opera’s new Paste Protect feature stops the clipboard attack your antivirus can’t catch
ClickFix attacks trick you into compromising your own device, and no major browser had a native defense against them until now.
Opera Paste Protect featured

Most online scams are easy enough to spot once you know what to look for. Fake login pages, suspicious attachments, or urgent wire transfer requests are dead giveaways. But ClickFix doesn't look like any of them. It presents itself as a solution, and it asks you to do something so routine that few people think twice about it.

The technique was behind more than 53 percent of malware loader incidents last year, according to cybersecurity firm Huntress, and no major browser had a native defense against it until now. Opera is fixing that with a new feature called Paste Protect.

Read more