Flaws discovered in TrueCrypt, but journalists still have options for encryption

Project Zero, a Google team that searches for bugs, has identified two flaws affecting the TrueCrypt disk encryption software program. While the flaws, which were found by computer security researcher James Forshaw, are not cryptographic–meaning they couldn’t be used directly to decrypt a disk or device–they present potential problems for user security.

Development of TrueCrypt, a free cross-platform disk-encryption tool that CPJ recommends journalists use to protect their data, ended in May last year, but the developers of an independent spinoff (or “forked“) project called VeraCrypt say they have already fixed the flaws. The VeraCrypt project emerged to take over maintenance of the TrueCrypt codebase and continues to update the software’s code and fix bugs. For those who rely on the cross-platform capabilities of TrueCrypt, running it in a dedicated virtual machine–software that acts like a separate computer–will help prevent exposure to the flaws. Alternatively, users can use VeraCrypt.

It is not the first time flaws have been discovered in TrueCrypt. As the software is still in wide use, but without maintainers to provide security updates, it is unlikely to be the last. When the anonymous team behind the encryption tool abruptly ended the project last year, the security community arranged for an audit of TrueCrypt’s source code. The audit, conducted by security firm iSec Partners, identified minor issues of code quality and other flaws, but found little to shed doubt on the integrity of the tool. After the results were made public, CPJ concluded that the audited version remained a reliable tool.

No audit will identify every possible flaw and, given the technical nature of the latest ones to be discovered, it is not surprising they were missed. Both flaws apply to Windows computers that have TrueCrypt installed. The flaws can be exploited only by someone who already has a user account on the machine. The first flaw, which is more dangerous, would allow someone who has a limited user account to the machine to obtain full administrative control. The second would allow an unauthorized user to forcibly eject a TrueCrypt volume that is in use, potentially disrupting the system’s operations. Neither flaw can be exploited by someone who cannot already log on to the machine, and neither would help decrypt or disrupt a TrueCrypt volume which is not in use.

CPJ has not evaluated the security or reliability of VeraCrypt and no solution is without risk. However, few things are riskier than not using encryption at all. CPJ continues to recommend that everyone uses the disk-encryption software that comes with their operating system: BitLocker for Windows, FileVault 2 for Mac OS X, LUKS for Linux, and device encryption on Android (iOS devices running the most recent operating system are encrypted by default.) It is also important to use a complex and memorable passphrase or PIN.