TrueCrypt downed by alleged insecurities

May 29, 2014 // 10:35 a.m.

Tags: #back-door #bitlocker #cipher #cryptography #edward-snowden #encryption #insecurity #privacy #security

Companies: #nsa #open-source #truecrypt #us-government

Popular open-source encryption package TrueCrypt has been declared unsafe, with its developers apparently opting to erase the software from the face of the earth - despite a security audit having found no serious flaws.

TrueCrypt is a serious piece of software: open source and with binaries available for most popular computing platforms, the package allows the user to hide private data using a variety of strong encryption algorithms. Additional features that set it apart from its rivals including whole-disk support - allowing the entire operating system to reside on an encrypted volume - and its use of 'hidden volumes' for jurisdictions, like the UK, where decryption can be demanded under the threat of jail time; the throw-away outer volume can be offered up as a sacrifice, while the real private data remains unproveably present within the volume.

Following whistleblower Edward Snowden's claims that the US government - and, undoubtedly, those of other nations - had pressured companies to weaken their encryption products or insert back-door access, a crowd-funded security audit of TrueCrypt's source code was undertaken. The initial report highlighted zero high-severity issues, and while four medium- and a further four low-severity issues were found, none were considered to critically weaken the software's capabilities.

Last night, however, the TrueCrypt developers declared otherwise. The project's SourceForge page was modified to claim TrueCrypt was insecure, and all its past source code and binary files deleted from the repository. In their place, a special version of the software dubbed TrueCrypt 7.2 was release; this contains warnings against its own use, and removes all encryption capabilities in favour of allowing read-only access to existing TrueCrypt volumes in order for existing users to recover their data.

'WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues,' the new version of the software warns users. 'The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms. You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.' This is echoed by a tutorial on the official website detailing how to migrate to Microsoft's BitLocker encryption platform.

The binary files and source code live on, as with any open source project, in personal archives and publicly-accessible sites like GitHub. The developers of the software, who have remained anonymous since its inception, are silent on exactly why the move to remove it from its official site has been made - but there are a handful of convincing theories that may explain the matter.

The most likely is that the project has received a National Security Letter demanding that back-door access be placed into the software, which likely came to the US government's attention following Snowden's recommendation it be used by anyone with secrets to hide. These letters contain a self-gag order preventing their disclosure; by cancelling the project entirely and warning that it is insecure, the developers will have been able to skirt the terms of this gag order while warning users that it is no longer to be trusted thanks to government interference.

Another theory is that the developers have discovered an existing back door, inserted into the code by a government agent pretending to be a valued contributor. How this would have been missed during the detailed security audit the software recently underwent, however, is unclear. A final theory is that the project has been hijacked: SourceForge recently suffered a security breach, and the issuance and near-immediate revocation of new signing keys for the TrueCrypt project hint that the original developers may no longer be in control.

One thing is clear: until a developer comes forward with more details, those who rely on TrueCrypt to protect their privacy would do well to make sure they add some additional layers to their defence strategy.
Discuss this in the forums


Week in review