TrueCrypt critical flaws revealed: It’s time to jump ship

TrueCrypt may have been abandoned by its original developers, but it remains one of the few encryption options for Windows.

Attackers could leverage the flaws to hijack processes and grant themselves full administrator privileges, and with such keys to a system, havoc could ensue.

The system encryption service, axed past year after Microsoft terminated support for Windows XP, was canned without warning due to “unresolved security issues” in May 2014.

At that time a crowd-funded effort was already underway to perform a professional security audit of TrueCrypt’s source code and its cryptography implementations. The severity of the newly-discovered problems has led to renewed calls for remaining TrueCrypt users to seek an alternative.

The first phase of the TrueCrypt audit project, performed by security engineers from iSEC Partners, a subsidiary of information assurance company NCC Group, covered the driver code, but “Windows drivers are complex beasts” and it’s easy to miss local elevation of privilege flaws, Forshaw said on Twitter. However, the flaws haven’t been disclosed by Forshaw as he prefers to wait for a week after a patch has been released to reveal them. Maybe they contributed to it, but it would seem likely that there are other security concerns that may have yet to be discovered in the code base. He and other researchers agree that the vulnerabilities – which can reportedly be exploited by “abusive drive letter handling” – weren’t deliberately installed. As ExtremeTech points out, one solution, VeraCrypt, has patched out these bugs and uses the same codebase as TrueCrypt, so should be pretty familiar.

Users who are still using TrueCrypt or an unsupported variant of the software should move to a reliable tool soon, as there is no telling how many more vulnerabilities will be discovered in the software in the future.