Users of popular full-disk On-The-Fly-Encryption (OTFE) tool TrueCrypt have had something of a rollercoaster ride this past year or so.
When the TrueCrypt devs suddenly pulled the plug on their open source product in March 2014 (bizarrely suggesting that users migrate to closed source Microsoft alternative BitLocker), general panic and paranoia reigned.
Completion of Phase I and then Phase II (in March this year) of a security audit of TrueCrypt that started before its devs warnedg people not to use their software, found no major vulnerabilities or deliberately engineered backdoors, much to everyone’s relief.
The audits did, however, find some vulnerabilities that have led most security experts to recommend avoid using TrueCrypt itself, and to instead use VeraCrypt. This is a TrueCrypt fork in which all known vulnerabilities have been patched, and which remains in active development (another fork in active development is CipherShed, but most experts seems to agree that VeraCrypt is better.)
Despite this, many die-hard fans continue to use the original TrueCrypt, but new evidence uncovered by James Forshaw, a security researcher for Google-run Project Zero, should encourage all users of TrueCrypt that the time to move on has come.
Forshaw discovered two major vulnerabilities, one of which is described a ‘critical’:
- CVE-2015-7358 (Severity – High): “The Windows driver used by projects derived from Truecrypt 7 (verified in Veracrypt and CipherShed) are vulnerable to a local elevation of privilege attack by abusing the drive letter symbolic link creation facilities to remap the main system drive. With the system drive remapped it’s trivial to get a new process running under the local system account.”
- CVE-2015-7359 (Severity – Low): “The Windows driver used by projects derived from Truecrypt 7 (verified in Veracrypt and CipherShed) are vulnerable to a local elevation of privilege attack by checking process of impersonation token which allow a user to inspect and potentially manipulate other users mounted encrypted volumes on the same machine.”
Forshaw stated on his Twitter feed (on 26 September) that that he would not release further details for 7 days, by which time a patch should be available. Both vulnerabilities have already been patched in VeraCrypt and Ciphershed.
Project Zero was setup in July 2014, is the name for a team of security researchers who work for Google, and whose job it is to discover zero-day exploits in software.
The fact that the official audit missed these vulnerabilities points to how difficult it is to fully audit highly complex code. It is also unknown whether these exploits were deliberately engineered, or are simply the result of programming mistakes, but Matthew Green, who chief researcher for original audit notes that,
‘This is a pretty narrow bug in the sense that it doesn’t affect the security of TrueCrypt encryption itself.’
We nevertheless strongly recommend that readers who use TrueCrypt switch to VeraCrypt or another open source encryption program instead.