The revelations of Edward Snowden's leaks confirmed that security agencies spend time and money trying to undermine cryptographic software.
Potential backdoors in cryptographic software or protocols would be disastrous, and that is one of the reasons why requests for audits became louder and more prominent.
The Open Source encryption software TrueCrypt ran a fundraiser for a public TrueCrypt audit last year and managed to collect enough money to make that happen.
TrueCrypt is a cross-platform encryption software that can create encrypted containers on hard drives or encrypt entire hard drive partitions including the system partition.
Results of the first part of the audit have been released yesterday evening. You can download a PDF document with the audit's findings.
The researchers identified eleven vulnerabilities in total, of which none received the highest severity rating. Four issues were rated as medium, another four as low, and three as informational.
The following vulnerabilities were found:
- Weak Volume Header key derivation algorithm (Medium)
- Sensitive information might be paged out from kernel stacks (Medium)
- Multiple issues in the bootloader decompressor (Medium)
- Windows kernel driver uses memset() to clear sensitive data (Medium)
- TC_IOCTL_GET_SYSTEM_DRIVE_DUMP_CONFIG kernel pointer disclosure (Low)
- IOCTL_DISK_VERIFY integer overflow (Low)
- TC_IOCTL_OPEN_TEST multiple issues (Low)
- MainThreadProc() integer overflow (Low)
- MountVolume() device check bypass (Informational)
- GetWipePassCount() / WipeBuffer() can cause BSOD (Informational)
- EncryptDataUnits() lacks error handling (Informational)
The audit contains detailed descriptions of each vulnerability listed above, addresses exploit scenarios and short and long term solutions to address the issue.
While the researchers found several code related issues such as the use of insecure or deprecated functions or inconsistent variable types, they found no evidence of a backdoor in TrueCrypt.
Finally, iSEC found no evidence of backdoors or otherwise intentionally malicious code in the assessed areas. The vulnerabilities described later in this document all appear to be unintentional, introduced as the result of bugs rather than malice.
TrueCrypt users who use full disk encryption with reasonably long secure passwords should be mostly fine. All issues identified need to be corrected by the developers of the application and while that may take a while, it is reasonable to assume that users who follow these recommendations have nothing to worry about.
You can follow the audit on the Is TrueCrypt audited yet website.