Skip to main content

TrueCrypt Encryption Software Shut Down, May Be Compromised

Independent encryption software TrueCrypt is apparently not as secure as many thought. Yesterday (May 28), the TrueCrypt homepage was suddenly replaced with a notification that read "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues."

TrueCrypt is used by many security-minded people, including NSA whistleblower Edward Snowden, to turn a storage device, such as a flash drive or hard drive or a partition of such a device, into an encrypted volume, protecting the documents stored in that volume from prying eyes.

But TrueCrypt's creators never revealed their true identity, which caused others to be skeptical of its integrity. TrueCrypt was recently the subject of an independent security audit examining TrueCrypt's code for flaws, bugs or backdoors.

MORE: Best PC Antivirus Software 2014

TrueCrypt's abrupt warning was accompanied by instructions for how to transfer TrueCrypt-encrypted files to BitLocker, the Microsoft-owned service built into Microsoft Vista Ultimate and Enterprise, Windows 7 Ultimate and Enterprise, and Windows 8 Pro and Enterprise versions. 

The warning suggested that TrueCrypt was intended to be used on Windows XP, Microsoft's earlier operating system, which lacks a built-in encryption option.

"The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP," the warning read. "Windows 8/7/Vista and later offered integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms."

But the TrueCrypt software had versions for the more recent Windows operating systems, as well as for Mac OS X, Linux and Android (the latter via third-party apps). Many security-minded people valued TrueCrypt for its perceived independence from major software companies, even though the creators' identities were never revealed.

Some have speculated that TrueCrypt may have been pressured to close down in the face of government scrutiny, as encrypted-email service Lavabit was in 2013.

Others suggested that TrueCrypt's website might have just been hacked, or defaced as part of a prank. But independent security expert Brian Krebs says that appears unlikely; he looked at the site's records and found "no substantive changes recently" to its hosting, DNS or WHOIS records. 

It seems to be that the mysterious people behind TrueCrypt simply decided to end the project.

"Whether hoax, hack or genuine end-of-life for TrueCrypt, it's clear that no security-consciuous users are going to feel comfortable trusting the software after this debacle," wrote independent security expert Graham Cluley on his blog. "It's time to start looking for an alternative way to encrypt your files and hard drive."

So could the fact that it was being audited have anything to do with TrueCrypt shutting down? The first round of the audit, which looked at TrueCrypt's bootloader, found it to be secure. The next round, to be completed this summer, was to examine the cryptography used in the software.

The organizer of the TrueCrypt audit was Matthew Green, a security expert and cryptography professor at Johns Hopkins University in Baltimore, Maryland.

"Last I heard from Truecrypt: 'We are looking forward to results of phase 2 of your audit. Thank you very much for all your efforts again!'" Green tweeted today

Green says the audit will continue. He also suggested that other independent cryptographers might be able to continue the TrueCrypt developers' work, but the product's ambiguously worded license will probably make that difficult.

"I was starting to have warm and fuzzy feelings about the code, thinking [the developers] were just nice guys who didn’t want their names out there," Green told Krebs in an interview on the latter's blog. "But now this decision makes me feel like they’re kind of unreliable. Also, I’m a little worried that the fact that we were doing an audit of the crypto might have made them decide to call it quits."

Until more is revealed, TrueCrypt users should probably stop using the software.

Email jscharr@tomsguide.com or follow her @JillScharr and Google+. Follow us @TomsGuide, on Facebook and on Google+.

  • house70
    1. A perfect tarnishing campaign by NSA to get rid of the only serious roadblock,
    or
    2. A last attempt to conceal the real creators behind it (NSA), after convincingly posing as the one independent encryption solution; now that the audit is getting uncomfortably close to the people behind it the last resort is to abruptly shut it down.

    Reply
  • LordConrad
    I will keep using Truecrypt until it's proven insecure or until something better comes along. Whoever recommended Bitlocker is a fool, Microsoft is known for their snooping (Skype, Windows NSA decryption key).
    Reply
  • bison88
    I wouldn't go as far as recommending people stop using TrueCrypt. If you've been using a version prior to this 7.2 release then you should be good. Given 7.1a is already two years old and being looked into by researchers, any nefarious things that old will be discovered.

    However, going forward I wouldn't trust TrueCrypt. Even if this was a joke, internal bickering, or a malicious hacker, the trust has already been ruined. These guys are anonymous developers for a reason, the bad part is that anonymity can kill you if something like this happens. Nobody knows who these guys are so any information coming out could be easily proclaimed as being fake from this point on.

    Huge hit to the future of Volume based encryption. There aren't a lot out there, let alone ones that are completely free.
    Reply
  • Christopher1
    No one smart will trust Bitlocker because Microsoft stuff is known to have backdoors in it.
    Reply
  • Vorador2
    One of the weirdest things i've ever seen. Not only they're dropping the software entirely based on a completely unrelated reason (XP support dropping out), but also recommend a less secure proprietary alternative like Bitlocker, which it isn't even available on Home versions of Windows.

    My personal take on the matter is that the Truecrypt team has been slowly dissolving since the last version was released two years ago, and the last people maintaining the project has given up on it on a "f*ck it all" way.

    In any case, since it's open source it's likely another team will take the baton. Truecrypt is too useful to pass it up, and the initial audit of the software was passed without problems.
    Reply
  • LORD_ORION
    I would think this is more of a "Look NSA, we shut down development and discouraged people from using the software" after the developers were ordered to provide source to the NSA and refused.

    Regardless, unless you build it yourself, looks like you can trust nobody.
    Reply
  • beayn
    If TrueCrypt was connecting to unknown internet addresses and sending data, it would have been discovered. That would be the only reason to suddenly stop using it. If it contains a backdoor, of course you're gambling with it being exploited, but we gamble with security flaws that can be exploited every day. I don't see a reason to immediately stop using the software without getting the final results of the second audit. Seems odd to recommend it be stopped immediately. I know some organizations that use the software on dozens of laptops, it would be a pretty big undertaking to stop using it.
    Reply
  • digimatrix
    @Christopher1
    @LordConrad

    And yet both of you don't have proof to back up your baseless claims. I work for Fortune 500 company that use Bitlocker and contrary to what you believe, Bitlocker does not have any backdoors. This is because we hire independent security auditor to scrutinize Bitlocker's source code (from time to time), subject to non-disclosure agreement with Microsoft.
    Reply
  • dro2
    @Christopher1
    @LordConrad

    And yet both of you don't have proof to back up your baseless claims. I work for Fortune 500 company that use Bitlocker and contrary to what you believe, Bitlocker does not have any backdoors. This is because we hire independent security auditor to scrutinize Bitlocker's source code (from time to time), subject to non-disclosure agreement with Microsoft.

    What complete BS...
    Reply
  • StygianAgenda
    If TrueCrypt was connecting to unknown internet addresses and sending data, it would have been discovered. That would be the only reason to suddenly stop using it. If it contains a backdoor, of course you're gambling with it being exploited, but we gamble with security flaws that can be exploited every day. I don't see a reason to immediately stop using the software without getting the final results of the second audit. Seems odd to recommend it be stopped immediately. I know some organizations that use the software on dozens of laptops, it would be a pretty big undertaking to stop using it.
    If TrueCrypt was connecting to unknown internet addresses and sending data, it would have been discovered. That would be the only reason to suddenly stop using it. If it contains a backdoor, of course you're gambling with it being exploited, but we gamble with security flaws that can be exploited every day. I don't see a reason to immediately stop using the software without getting the final results of the second audit. Seems odd to recommend it be stopped immediately. I know some organizations that use the software on dozens of laptops, it would be a pretty big undertaking to stop using it.
    Reply