Skip to main content

Why TrueCrypt might not be so insecure after all

have i been pwned owner uncovers 13 million plaintext passwords leaked from free webhost is a safe password even possible we
guteksk7/Shutterstock
Reports of TrueCrypt’s flaws were greatly exagerated, if a 77-page report coming out of Germany’s Fraunhofer Institute is anything to go by. The intensive six-month study concludes that the encryption software is nowhere near as insecure as reported back in 2014.

“Our general conclusion is that TrueCrypt is safer than previous examinations suggest,” wrote professor Eric Bodden in a blog post announcing the study.

TrueCrypt was discontinued in the summer of 2014 — the developers said they didn’t want to maintain a standard with “unfixed security issues.” It’s still not clear exactly what those vulnerabilities were — they were never announced, in part to protect the project’s millions of users. Security researcher James Forshaw did find two flaws in September that could be used to compromise a machine (though not decrypt an encrypted hard drive), but it’s possible the vulnerability that led to the project being abandoned is something else entirely.

Whatever the problem is, the Fraunhofer Institute didn’t find anything they deemed a critical flaw during their six-month study — though they did state that encryption can’t solve all security concerns.

“From a security perspective, the fact that TrueCrypt is a purely software solution means that it cannot in principle protect against all relevant threats,” says the study.

Bodden added to this point in his blog post.

“It does not seem apparent to many people that TrueCrypt is inherently not suitable to protect encrypted data against attackers who can repeatedly access the running system,” wrote Bodden, adding that “TrueCrypt seems not better or worse than its alternatives” so far as encrypting data is concerned.

Basically, if someone already has access to your system in some way — be it physical access to the machine while it’s running, or the installation of Trojan horse malware — encryption of any kind won’t help. Keyloggers can be installed, and files can be accessed by malware while the user is accessing an encrypted drive — no encryption can prevent that. Encryption does, however, make it hard for someone who steals your hard drive to access the data on it.

Whatever flaw prompted the TrueCrypt developers to abandon the project — and even advise developers to not fork it — may not have shown up in any study, but it’s becoming harder to imagine what that flaw might be. A fork of the software, called VeraCrypt, includes patches for every bug that’s been found so far.

Editors' Recommendations

Justin Pot
Former Digital Trends Contributor
Justin's always had a passion for trying out new software, asking questions, and explaining things – tech journalism is the…
WhatsApp users might leave traces of personal data after clearing chat logs
whatsapp

“Delete.”

When you click the button, in comes a rush of satisfaction. You’ve gained newfound free space, of course, but more importantly, an unwanted piece of your digital footprint is gone, without a trail of breadcrumbs to so much as suggest at its previous existence. Nothing nebulous. It’s clear cut. Gone, and gone forever.

Read more
Tesla 2018 production plans maybe not so ludicrous after all
Tesla Model 3

Tesla Motors and its CEO Elon Musk consistently push the envelope, seemingly as part of the company's culture. When Tesla announced it was going to ramp up the Fremont, California factory to produce 500,000 vehicles in 2018, two years ahead of schedule (and just after the eruption of pre-order reservations for the mass-priced Model 3 in April 2016), automotive experts lined up to say it couldn't be done.

But maybe the doubters should hold back. A report by global research and consulting firm Cairn ERA shows Tesla's growth-rate goal has already been exceeded by three Chinese auto manufacturers, according to Electrek, indicating that what Tesla is attempting can be done.

Read more
What crept into the crypt? TrueCrypt bugs may finally have been discovered
dell secureworks prices hacker keyboard 2 970x0

A year and a half ago, users of the TrueCrypt encryption software were shocked to find the long-time developers had quit, stating that they could no longer continue to develop a standard that contained 'unfixed security issues.' Understandably they didn't reveal what those problems were, as doing so would have made the software's many users vulnerable, but now, we can report on what those bugs actually were.

Discovered by security researcher James Forshaw, the two vulnerabilities in the system could be used to compromise the machine of a TrueCrypt user. While neither would make it possible to decrypt drives protected with the TrueCrypt software, the vulnerabilities would have allowed for the installation of malware on a user's machine, which would be enough to potentially figure out their decryption key and other sensitive data.

Read more