Why TrueCrypt might not be so insecure after all

Reports of TrueCrypt’s flaws were greatly exagerated, if a 77-page report coming out of Germany’s Fraunhofer Institute is anything to go by. The intensive six-month study concludes that the encryption software is nowhere near as insecure as reported back in 2014.

“Our general conclusion is that TrueCrypt is safer than previous examinations suggest,” wrote professor Eric Bodden in a blog post announcing the study.

TrueCrypt was discontinued in the summer of 2014 — the developers said they didn’t want to maintain a standard with “unfixed security issues.” It’s still not clear exactly what those vulnerabilities were — they were never announced, in part to protect the project’s millions of users. Security researcher James Forshaw did find two flaws in September that could be used to compromise a machine (though not decrypt an encrypted hard drive), but it’s possible the vulnerability that led to the project being abandoned is something else entirely.

Whatever the problem is, the Fraunhofer Institute didn’t find anything they deemed a critical flaw during their six-month study — though they did state that encryption can’t solve all security concerns.

“From a security perspective, the fact that TrueCrypt is a purely software solution means that it cannot in principle protect against all relevant threats,” says the study.

Bodden added to this point in his blog post.

“It does not seem apparent to many people that TrueCrypt is inherently not suitable to protect encrypted data against attackers who can repeatedly access the running system,” wrote Bodden, adding that “TrueCrypt seems not better or worse than its alternatives” so far as encrypting data is concerned.

Basically, if someone already has access to your system in some way — be it physical access to the machine while it’s running, or the installation of Trojan horse malware — encryption of any kind won’t help. Keyloggers can be installed, and files can be accessed by malware while the user is accessing an encrypted drive — no encryption can prevent that. Encryption does, however, make it hard for someone who steals your hard drive to access the data on it.

Whatever flaw prompted the TrueCrypt developers to abandon the project — and even advise developers to not fork it — may not have shown up in any study, but it’s becoming harder to imagine what that flaw might be. A fork of the software, called VeraCrypt, includes patches for every bug that’s been found so far.