More than 30 million users worldwide have utilized the free and open source encryption software TrueCrypt to secure critical data and indeed entire drives, supposedly safe in the knowledge that their data was being protected from prying eyes. Then, along came Edward Snowden’s startling expose and all of a sudden people were not so certain any more. What if the NSA had somehow planted a backdoor into TrueCrypt which enabled circumvention of the encryption and left all that personal data open to surveillance?
The good news, according to the iSEC report… “iSEC did not identify any issues considered ‘high severity’ during this testing. iSEC found no evidence of backdoors or intentional flaws.”
The audit did reveal a number of inherent bugs but these were assessed as “accidental”:
iSEC did not identify any issues considered ‘high severity’ during this testing. iSEC found no evidence of backdoors or intentional flaws. Several weaknesses and common kernel vulnerabilities were identified, including kernel pointer disclosure, but none of them appeared to present immediate exploitation vectors. All identified findings appeared accidental.
In sum, while TrueCrypt does not have the most polished programming style, there is nothing immediately dangerous to report.
While these findings are bound to offer some relief for the multitude of TrueCrypt users, it ain’t quite over yet. The second phase of the audit will examine TrueCrypt’s key cryptographic algorithm, random number generators and implementation, among other aspects.
- View a summary of iSEC’s findings here: iSEC Completes TrueCrypt Audit
- Download or view iSEC’s full report (32 page PDF) here: TrueCrypt Security Assessment