Slashdot Mirror

← Back to Stories (view on slashdot.org)

VeraCrypt Security Audit Reveals Many Flaws, Some Already Patched (helpnetsecurity.com)

Posted by EditorDavid on from the squashing-bugs dept.

Orome1 quotes Help Net Security: VeraCrypt, the free, open source disk encryption software based on TrueCrypt, has been audited by experts from cybersecurity company Quarkslab. The researchers found 8 critical, 3 medium, and 15 low-severity vulnerabilities, and some of them have already been addressed in version 1.19 of the software, which was released on the same day as the audit report [which has mitigations for the still-unpatched vulnerabilities].
Anyone want to share their experiences with VeraCrypt? Two Quarkslab engineers spent more than a month on the audit, which was funded (and requested) by the non-profit Open Source Technology Improvement Fund "to evaluate the security of the features brought by VeraCrypt since the publication of the audit results on TrueCrypt 7.1a conducted by the Open Crypto Audit Project." Their report concludes that VeraCrypt's security "is improving which is a good thing for people who want to use a disk encryption software," adding that its main developer "was very positive along the audit, answering all questions, raising issues, discussing findings constructively..."

10 of 75 comments (clear)

  1. Social Holes by Fringe · · Score: 3, Interesting

    VeraCrypt/True were already secure -enough-. Cracking through the holes is usually more effort than local law enforcement, your boss or the local mob will care about. If you're on the radar of worse people, they can toss you in jail or threaten your family. So while I consider better security a good thing when it doesn't increase cost or inconvenience, it's not really an essential move forward.

    The bigger problem is common passwords, leaving the volume open, having open drives automatically backed up to "the cloud", emailing documents... things these security code fixes cannot address. We don't hear often that the Feds have used a security hole to extract data from a user's system.

  2. Should we be using TrueCrypt 7.1a instead? by Anonymous Coward · · Score: 3, Insightful

    Honest question. Should we be using TrueCrypt 7.1a instead? I, personally, am. We live in scary times, and it is hard to trust any authority. I feel that TrueCrypt 7.1a, the last version prior to the strange shut down of the project, is probably less likely to have backdoors than any of the newer TrueCrypt versions or forks (specifically, VeraCrypt and CipherShed). Can someone convince me otherwise?

    1. Re: Should we be using TrueCrypt 7.1a instead? by Anonymous Coward · · Score: 3, Informative

      Well, if you read the article you'll notice a long list of vulnerabilities which already existed in truecrypt and have been patched in veracrypt. Regardless of whether they're 'backdoors' or not truecrypt demonstrably has a large number of vulnerabilities that don't exist in veracrypt.

    2. Re:Should we be using TrueCrypt 7.1a instead? by gweihir · · Score: 3, Interesting

      I think so. TrueCrypt 7.1a has, as far as I remember, only local exploits that matter. In the regular scenario (laptop), there is no other user and they do not matter at all. I do not trust the VeraCrypt person.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    3. Re: Should we be using TrueCrypt 7.1a instead? by gweihir · · Score: 3, Insightful

      The length of the list of vulnerabilities is completely irrelevant. What matters is whether they are a risk in the specific deployment scenario. Security cannot be estimated without understanding.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    4. Re:Should we be using TrueCrypt 7.1a instead? by Kjella · · Score: 4, Informative

      I would like this answer too, please, someone...

      If you have system encryption enabled (traditional BIOS, no UEFI support) and you have a strong passphrase and you are the only user and you're not worried that anyone can physically tamper with your system boot or rescue disc - in which case they might just as well use a key logger - then there's no critical issues.

      There are several nice to haves that make weak passwords stronger by increasing iterations, close various attacks that other users/processes can do and cleaning up better if you only use containers. The ugliest is probably a privilege escalation attack, malicious software can use the TrueCrypt driver to escalate to admin but if malware is running on your machine you probably have big problems anyway.

      Probably the most interesting part about VeraCrypt is the potential for UEFI boot but apparently there's no way to secure erase the keyboard buffer, all you can do is reset it (which they didn't do, but do now) and hope the driver actually overwrites it. But if you can dump the entire UEFI memory area it might still be there. Hopefully legacy BIOS mode will be around for a while longer, in this case simpler is safer.

      --
      Live today, because you never know what tomorrow brings
  3. I use it and appreciate the developer's approach. by RoverDaddy · · Score: 4, Insightful

    I am not a security expert and can't tell you whether Veracrypt is 100% secure, but I've been using it and I'm reasonably convinced that at least nobody short of a 'state actor' is likely to get at my data, and they're not the people I'm securing data from. It's the petty thieves who might steal my backup drives, or somebody who finds a USB stick I accidentally drop on the ground, that I'm protecting myself from.

    I've been to the support forums for Veracrypt and my impression is the developer is trying hard to be transparent and responsive and make the product as secure as possible.

    --
    RETURN without GOSUB in line 1050
  4. Illusion of secure encryption on an insecure OS by ffkom · · Score: 4, Insightful

    Veracrypt may provide decent cryptographic functionality, but given that its main audience is Windows and Mac users, the two huge security holes they cannot fix are called "MicroSoft" and "Apple". You can make Veracrypt as secure and error-free as you want, as long as it has to expose the decrypted data to some commercial, closed-source operating system that phones home like crazy to provide its manufacturer with valuable data, there is no actual security. Not to mention the backdoors builtin for certain 3-letter-agencies.

    1. Re:Illusion of secure encryption on an insecure OS by jbn-o · · Score: 4, Insightful

      Indeed; there are many reasons not to do business with Apple and many reasons to never use proprietary, user-subjugating software. Contrary to one of the follow-ups to the parent post, this has everything to do with TrueCrypt, VeraCrypt, and any other free software to which one entrusts their sensitive information. There's nothing these programs can do to fix the real problem. The user has to switch operating systems to a fully free software, user-respecting OS and install only free software on top of that to do the best we can do to avoid the aforementioned problems. So while nobody can blame these free software programs for leaked keys, passphrases, and other leaked information there's no reason to trust the underlying proprietary software these free programs rely on to do everything they do when running on non-free OSes.

      --
      Digital Citizen
  5. Reliable sources: TrueCrypt 7.1a by Futurepower(R) · · Score: 3, Informative

    TrueCrypt 7.1a

    TrueCrypt 7.1a hashes.

    TrueCrypt from Switzerland -- Swiss Mirror