TrueCrypt audit reveals vulnerabilities but no backdoors

TrueCrypt, the popular open-source file and disk encryption application similar to BitLocker, is finally undergoing a security audit and the results of the first phase have revealed that the software does not contain any backdoors, but some vulnerabilities do exist in the Windows version.

Security research firm, iSec, has been assigned to audit the TrueCrypt software by the developer itself as the company is transitioning towards being a non-profit organization. In the first phase of the audit, iSec assessed version 7.1 a of TrueCrypt’s Windows version for security flaws. The security firm examined the Windows software and bootloader code. Although iSec did not find any backdoors or intentional flaws, it did find 11 vulnerabilities in the TrueCrypt code.

The vulnerabilities with their threat level are as follows:

  • Weak Volume Header key derivation algorithm (Medium)
  • Sensitive information might be paged out from kernel stacks (Medium)
  • Multiple issues in the bootloader decompressor (Medium)
  • Windows kernel driver uses memset() to clear sensitive data (Medium)
  • TC_IOCTL_GET_SYSTEM_DRIVE_DUMP_CONFIG kernel pointer disclosure (Low)
  • IOCTL_DISK_VERIFY integer overflow (Low)
  • TC_IOCTL_OPEN_TEST multiple issues (Low)
  • MainThreadProc() integer overflow (Low)
  • MountVolume() device check bypass (Informational)
  • GetWipePassCount() / WipeBuffer() can cause BSOD (Informational)
  • EncryptDataUnits() lacks error handling (Informational)

In addition to donations from IndieGoGo based backers, TrueCrypt has revealed through their website that it has received a donation from the Open Technology Fund which will help the company increase its efforts to analyze the software across all platforms over a period of 5-6 weeks.

Interested users can also follow the Twitter hashtag #IsTrueCryptAuditedYet for more results.

Source: IsTrueCryptAuditedYet.com via Ghacks | Image via Advance Pensa Cola

Report a problem with article
Previous Story

Original Halo music composer Marty O'Donnell fired by Bungie

Next Story

Samsung: Steve Jobs' death is 'our best opportunity to attack iPhone'

20 Comments

Commenting is disabled on this article.

Yeah, it seems that way so far from what i can make out but i am not a expert on this stuff.

but one of them which could be a issue unless you are using those complex passwords it can generate (i.e. using a 'keyfile' etc) is "weak volume header key derivation algorithm" as it appears brute force might be plausible on moderate passwords (especially considering the rate that CPU/GPU's advance which really speed up brute forcing passwords it appears) but i imagine those using a 'keyfile' to access their file/partition etc i am pretty sure is as good as it gets with the TrueCrypt application as it's surely much better than moderate passwords to say the least from what i can make out. it also lists that as 'medium risk' along with 'medium difficulty'.

that one, from what i can tell, seems to be the worst one (like highest risk) of the batch in the report.

That has me very concerned also considering how popular it is. But also this audit has only done the windows version. What about the OS X and Linux versions?

Blueclub said,
If there is nothing to fix, then why change it?

They need to add support for Windows 8.x though.

Nothing to fix? It doesn't support UEFI or GPT Partitioned drives yet that's kinda a big deal with modern PC's moving from BIOS to UEFI more and more

You just answered your own response. It hasn't been updated to support Win 8.x. It also doesn't support any version of OS X past 10.7.

neufuse said,
Nothing to fix? It doesn't support UEFI or GPT Partitioned drives yet that's kinda a big deal with modern PC's moving from BIOS to UEFI more and more

#Michael said,
You just answered your own response. It hasn't been updated to support Win 8.x. It also doesn't support any version of OS X past 10.7.

Adding support for Windows 8.x, and OSX 10.7+ will be an update, not a 'fix'. There is nothing wrong with TrueCrypt, it supports Windows 8.x without UEFI, they just need an update to add support for UEFI.

Blueclub said,
If there is nothing to fix, then why change it?

They need to add support for Windows 8.x though.

What's missing? I use it on my Surface Pro (8.1) all the time.

Blueclub said,

Adding support for Windows 8.x, and OSX 10.7+ will be an update, not a 'fix'. There is nothing wrong with TrueCrypt, it supports Windows 8.x without UEFI, they just need an update to add support for UEFI.


The OP (neufuse) said nothing about fixes or updates, he/she simply said that TrueCrypt has been stuck at v7.1a for a while. Do you suppose they will update the software and keep the exact same version number? Of course not.

Hard to know how serious some of these really are, hopefully more articles come out to explain exactly what this might mean to users.

Hahaiah said,
Thanks, can't say I'm encouraged by what I'm reading.

Indeed:

"Due to lax quality standards, TrueCrypt source is difficult to review and maintain. This will make future bugs harder to find and correct. It also makes the learning curve steeper for those who wish to join the TrueCrypt project."

"following the reproducible build instructions at https://madiba.encs.concordia....ruecrypt-binaries-analysis/ requires access to VC++ 1.52 (released in 1993), in addition to various Windows ports of GNU tools downloadable from wherever they can be found. Using antiquated and unsupported build tools introduces multiple risks"

I wish it was that easy to just put software through an audit, and whoosh, you have discovered all the security flaws and backdoors there could possibly be.

coolhund said,
I wish it was that easy to just put software through an audit, and whoosh, you have discovered all the security flaws and backdoors there could possibly be.

At the software development level, we have https://scan.coverity.com/ Not to mention countless other static analysis tools including clang and msvc2013.