Edward Snowden’s revelations regarding the NSA’s covert spying activities not only served to heighten the issue of online privacy, they also created a general atmosphere of suspicion and mistrust. One software which came under the microscope in particular was the popular and widely used TrueCrypt.
More than 30 million users worldwide have utilized the free and open source encryption software TrueCrypt to secure critical data and indeed entire drives, supposedly safe in the knowledge that their data was being protected from prying eyes. Then, along came Edward Snowden’s startling expose and all of a sudden people were not so certain any more. What if the NSA had somehow planted a backdoor into TrueCrypt which enabled circumvention of the encryption and left all that personal data open to surveillance?
This was the hypothetical scenario that prompted a consortium of software companies to raise $80.000, under the banner ‘Open Crypto Audit Project’ (OCAP), to fund audits of the TrueCrypt code and its cryptography. In January this year US consultancy iSEC was employed to undertake a thorough security code audit which has now been completed and its finding published.
The audit did reveal a number of inherent bugs but these were assessed as “accidental”:
iSEC did not identify any issues considered ‘high severity’ during this testing. iSEC found no evidence of backdoors or intentional flaws. Several weaknesses and common kernel vulnerabilities were identified, including kernel pointer disclosure, but none of them appeared to present immediate exploitation vectors. All identified findings appeared accidental.
In sum, while TrueCrypt does not have the most polished programming style, there is nothing immediately dangerous to report.
While these findings are bound to offer some relief for the multitude of TrueCrypt users, it ain’t quite over yet. The second phase of the audit will examine TrueCrypt’s key cryptographic algorithm, random number generators and implementation, among other aspects.
- View a summary of iSEC’s findings here: iSEC Completes TrueCrypt Audit
- Download or view iSEC’s full report (32 page PDF) here: TrueCrypt Security Assessment