The revelations of Edward Snowden's leaks confirmed that security agencies spend time and money trying to undermine cryptographic software.
Potential backdoors in cryptographic software or protocols would be disastrous, and that is one of the reasons why requests for audits became louder and more prominent.
The Open Source encryption software TrueCrypt ran a fundraiser for a public TrueCrypt audit last year and managed to collect enough money to make that happen.
TrueCrypt is a cross-platform encryption software that can create encrypted containers on hard drives or encrypt entire hard drive partitions including the system partition.
Results of the first part of the audit have been released yesterday evening. You can download a PDF document with the audit's findings.
The researchers identified eleven vulnerabilities in total, of which none received the highest severity rating. Four issues were rated as medium, another four as low, and three as informational.
The following vulnerabilities were found:
The audit contains detailed descriptions of each vulnerability listed above, addresses exploit scenarios and short and long term solutions to address the issue.
While the researchers found several code related issues such as the use of insecure or deprecated functions or inconsistent variable types, they found no evidence of a backdoor in TrueCrypt.
Finally, iSEC found no evidence of backdoors or otherwise intentionally malicious code in the assessed areas. The vulnerabilities described later in this document all appear to be unintentional, introduced as the result of bugs rather than malice.
TrueCrypt users who use full disk encryption with reasonably long secure passwords should be mostly fine. All issues identified need to be corrected by the developers of the application and while that may take a while, it is reasonable to assume that users who follow these recommendations have nothing to worry about.
You can follow the audit on the Is TrueCrypt audited yet website.Advertisement
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.