Security Audit Finds Critical Vulnerabilities In VeraCrypt, TrueCrypt’s Main Successor

A security audit performed by Quarkslab and funded by OSTIF uncovered several problems with the VeraCrypt disk encryption tool. The auditors found eight critical, three medium-severity, and 15 low or informational vulnerabilities in the software.

VeraCrypt As TrueCrypt’s Main Successor

The developers behind VeraCrypt forked the TrueCrypt disk encryption tool about a year before it was  abandoned by its creator. Other forks from TrueCrypt (such as CipherShed) exist, but VeraCrypt seems to have received the most attention from open source disk encryption software users since TrueCrypt's abandonment.

VeraCrypt improved on TrueCrypt by resolving its predecessor’s security issues after they were uncovered by the Open Crypto Audit Project in 2015. Some issues remain, because fixing them would require significant architectural changes or break compatibility with TrueCrypt-encrypted disks, and the VeraCrypt team seems to have decided against fixing those legacy issues in the software for now. As more former TrueCrypt users start to switch, however, it may be possible to convert them to any new formats VeraCrypt adopts in the future.

VeraCrypt's developers continually add new features, improve old ones, and add support for new versions of desktop operating systems to VeraCrypt — but with those updates come new vulnerabilities.  

New Issues Created By New Features

Quarkslab recommended immediately fixing several issues, including the availability of a 64-bit symmetric block cipher with a non-secure 64-bit block size called GOST; outdated and poorly written compression libraries; and the fact that UEFI boot passwords can be retrieved by an attacker. The security researchers also noted that the UEFI bootloader is not mature enough yet, but it doesn’t seem to pose any problems from a cryptographic point of view.

Some of the components of the VeraCrypt project weren’t audited, likely for the same reason they weren't covered by the TrueCrypt audit in 2015: lack of funding. The Linux and macOS versions of Veracrypt were also omitted from the audit.

VeraCrypt has already fixed the “vast majority” of the uncovered vulnerabilities in the latest 1.19 version of the software, except for the ones that would require architectural changes, such as using "scrypt" instead of PBKDF2 for password-based key derivation. However, this issue has been partially fixed by increasing the number of iterations from a maximum of 2,000 to a maximum of 655,331.

OSTIF, the nonprofit that funded the audit, asked users of VeraCrypt to continue to donate money so it can pay for future VeraCrypt audits, which will need to be done on a more regular basis, because changes made to improve VeraCrypt's architecture can introduce new security vulnerabilities.

Create a new thread in the News comments forum about this subject
This thread is closed for comments
4 comments
Comment from the forums
    Your comment
  • Kimonajane
    Truecrypt abruptly shut down after men in black trench coats (fascist FEDS) visited the. VeraCrypt has security vulnerabilities just like MS does with Windows probably because of the NSA and trying to get back doors built in for the fascist FED. Will they admit it, not if they want to continue breathing.
  • heliomphalodon
    I don't expect any commonly-available encryption software to secure my data against attacks from nation-states. I'll be happy if it keeps my data out of the hands of ordinary thieves.
  • phantomferrari
    This really shouldnt come as a shock to anyone. No matter How much time, money, and effort you spend on securing a product if someone/government wants to access your files and they have the means there will always be an exploit. Its just the nature of the beast