Due to unfixed security issues, one of the most widely used encryption tools, TrueCrypt, may not actually be secure, according to a May 28 update posted on the open-source software’s SourceForge page. The update also says that development of the software has ended.
The following message was posted to the TrueCrypt page:
“WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues
This page exists only to help migrate existing data encrypted by TrueCrypt.
The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms. You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.”
The surprise announcement offers little explanation and instructs users on how to migrate their encrypted drives to Microsoft’s BitLocker encryption program, leaving many people suspicious, confused and concerned as to what exactly is going on behind the scenes with the anonymous TrueCrypt developers.
At face value, it seems that the people behind TrueCrypt simply decided to end the project due to the now default inclusion of encryption software like BitLocker in Microsoft operating systems. But with the abrupt notice, suspicious github changelog edits, and the recommendation of switching to closed-source Windows encryption software, something just doesn’t seem right.
As Wired reported, “It’s all a bit of a mystery, because, like a small number of other open-source projects, TrueCrypt is built by anonymous developers. It’s hard to know if the good guys have screwed up or if the bad guys are in control.”
The TrueCrypt software is designed to turn a storage device such as a USB stick or hard drive into an encrypted volume, protecting any files stored inside the volume with supposedly uncrackable encryption algorithms. For years, the software has been widely recommended by security experts, and many Bitcoin users rely on it to keep their wallet.dat file protected.
So what exactly is going on with TrueCrypt? Was the website compromised by hackers? Maybe the developers were worried that the ongoing audit would find a vulnerability in its code. Or could the shutdown be related to U.S. government intervention, similar to the LavaBit situation?
After examining the TrueCrypt site records and finding “no substantive changes recently” to its hosting, DNS, or WHOIS records, security expert Brian Krebs said that it doesn’t appear to be the work of hackers.
“What’s more, the last version of TrueCrypt uploaded to the site on May 27 shows that the key used to sign the executable installer file is the same one that was used to sign the program back in January 2014. Taken together, these two facts suggest that the message is legitimate, and that TrueCrypt is officially being retired,” said Krebs.
Matthew Green, a cryptographer, research professor at the Johns Hopkins University Information Security Institute, and the organizer of the TrueCrypt audit, also believes that this was just the unique way that the TrueCrypt developers decided to quit.
Green did state that he is “a little worried that the fact that we were doing an audit of the crypto might have made them decide to call it quits.”
Other theories speculate that it could be due to a secret U.S. government subpoena, or a National Security Letter.
Soon after it was reported that LavaBit was the email service used by Edward Snowden, the company was served with a court order (along with a gag order) requiring them to install surveillance equipment on their network, which would give the government access to all messages to and from LavaBit customers. Instead of complying, LavaBit decided to shut down.
Snowden, along with Glenn Greenwald, both used TrueCrypt to protect the NSA data in their possession. Assuming that at least one TrueCrypt developer lives in the U.S., it’s certainly possible that they too received a similar court order, and decided to pull the plug and drop hints, known as a “warrant canary,” rather than compromise the privacy of their customers.
Many have pointed out how absurd it seems for the TrueCrypt developers to recommend that their users migrate data to Microsoft’s BitLocker. One, because BitLocker is not open-source software, and two, because Microsoft has a history of closely collaborating with U.S. intelligence agencies, even helping the NSA “circumvent the company’s own encryption.”
If they were served with a court order and National Security Letter, a tongue-in-cheek, warrant canary type of message from the developers, insinuating that they are legally unable to give specific details regarding their situation, could be possible. This Reddit post is full of various theories as to what could be going on.
Wikileaks tweeted the following about the situation:
“Truecrypt has released an update saying that it is insecure and development has been terminated. The style of the announcement is very odd; however we believe it is likely to be legitimate and not a simple defacement. The new executable contains the same message and is cryptographically signed. We believe that there is either a power conflict in the dev team or psychological issues, coercion of some form, or a hacker with access to site and keys.”
All speculation aside, until more information is available, the only thing that can be said for certain is that it’s probably a good idea to stop using TrueCrypt.