On Wednesday afternoon, the official website for the TrueCrypt encryption software -- which allows users to encrypt hard drives and sensitive files -- was updated to say that it is no longer safe to use. While the website does not provide additional details about potential security issues, it does state that development of the decade-old tool ended this month after Microsoft terminated support for Windows XP. The very top of the website now reads "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues," followed by instructions on how to migrate from TrueCrypt to BitLocker, Microsoft's built-in full disk encryption solution.
TrueCrypt has, for more than a decade, been the program of choice for many security-conscious people, even Edward Snowden. In December 2012, Snowden organized an event - called a CryptoParty - in Hawaii where he talked about how one can use TrueCrypt to keep information safe from prying eyes; a business traveler might use TrueCrypt to protect sensitive files when traveling to make sure that if the computer gets stolen, someone can't go through their files without the password to unlock them. Today's advisory comes as a shock to the security community, though no one has been able to confirm its authenticity so far.
In 2013, Kenneth White and Matthew Green started the Open Crypto Audit Project and crowdsourced funding to ensure that TrueCrypt could be reviewed. Despite being ten years old, and built by a group of anonymous developers, the software had never received a complete review until earlier this year. Results from phase one of the review released last month revealed no evidence of any backdoors. A second review is still pending.
Matthew Green said on Twitter that he had reached out to his contact at TrueCrypt for a comment, but added "I'm not holding my breath though."
The following three pieces currently make up this unsolved puzzle: the website, the software, and the cryptographic signatures that allow users to verify the authenticity of the software.
At the bottom of the TrueCrypt website, past all the warnings and step-by-step instructions for how to migrate to BitLocker, is a link to a new version of the software for Windows, along with two files that allow users to verify that the software they have downloaded is authentic. The new version of TrueCrypt was certified with the official TrueCrypt signing key, proving that whoever updated the website is also in a position to release and certify new versions of the encryption software.
Attempting to install this new version of TrueCrypt in a virtual machine, I noticed that the software displays the same warning and step-by-step instructions that are present on the website. The user interface has a similar warning added to it; "WARNING: Using TrueCrypt is not secure." A quick analysis of the software did not reveal any malicious behavior, though a deeper dive could perhaps provide different results. Older versions of the software would ask users to consider making a donation at the end of the installation process, but this request has since been removed. Additionally, the user manual is no longer included with the software. It seems this new version can only be used to decrypt data and migrate existing encrypted storage volumes, not create new ones.
It is unclear whether the TrueCrypt developers were compromised or if this is all part of an elaborate plan to end development of the widely used tool. Forbes will continue to cover this unfolding story as more information becomes available.
(Disclosure: I’m on the Open Crypto Audit Project's Technical Advisory Board.)
-
You can follow me on
