TrueCrypt Encryption Software Has Two Critical Flaws: It's time to Move On
1.10.2015
truecrypt-encryption-software
If you are among thousands of privacy-conscious people who are still using ‘no longer available’ TrueCrypt Encryption Software, then you need to pay attention.
Two critical security vulnerabilities have been discovered in the most famous encryption tool, TrueCrypt, that could expose the user’s data to hackers if exploited.
Worse yet, TrueCrypt was audited earlier this by a team of Security researchers and found to be backdoor-free.
James Forshaw, Security researcher with Google’s Project Zero — which looks for zero-day exploits — has found a pair of privilege elevation flaws in TrueCrypt package.
Last year, TrueCrypt project was dropped after its mysterious developers had claimed the Windows disk-encryption software had ‘unfixed security issues’.
TrueCrypt is a widely-used ‘On-the-Fly’ Open source Hard disk encryption program.
Reportedly, TrueCrypt vulnerabilities would not directly allow an attacker to decrypt drive data. Instead, successful exploitation allows malware installation on the victim’s machine, which would be enough to figure out TrueCrypt’s Decryption Key and other sensitive data.
Vulnerability Details:
Both the TrueCrypt vulnerabilities has been rated as ‘Critical’, tagged as:
1.) CVE-2015-7358: The first vulnerability occurs because the TrueCrypt driver lacks in properly validating the drive letter symbolic link used for mounting volumes.
As a result, an attacker can gain access to a running process and get full administrative privileges.
2.) CVE-2015-7359: Whereas, in the second vulnerability the TrueCrypt driver lacks in validating the user in the security context, exploiting which an attacker can impersonate as an authenticated user.
Researcher James Forshaw (from Google Project Zero) has not publicly announced any details about the flaws, but said on his Twitter feed that the vulnerabilities got missed in the past and could ditch the security audits and review.
If you are still relying on TrueCrypt, now is the time to move on.
Moreover, after TrueCrypt’s shutdown, few of the software forks were available such as:
CipherShed
Veracrypt
Both the above-mentioned tools are also freeware and works on the ideologies they have borrowed from TrueCrypt.
Further, after the vulnerabilities were detected in TrueCrypt, Veracrypt version 1.15, an alternate On-The-Fly-Encryption (OTFE) tool patched the issues threatening its operations.