Tech

VeraCrypt audit reveals attacker treasure trove of critical flaws

The open-source encryption software contains severe security problems -- and not all of them can be patched immediately.

Written by Charlie Osborne, Contributing Writer Oct. 19, 2016 at 2:55 a.m. PT

An audit of VeraCrypt has uncovered critical vulnerabilities which could be exploited by attackers to compromise user data.

VeraCrypt is open-source security software. The successor to TrueCrypt, the encryption software is used worldwide to encrypt single files, folders or full disks and builds on the original project with security enhancements and new, modern features.

However, no software is completely safe from attack, and according to the software's recent audit, conducted by cybersecurity firm QuarksLab and sponsored through the Open Source Technology Improvement Fund (OSTIF), VeraCrypt 1.8 and its bootloaders contained a total of eight critical vulnerabilities, three medium flaws and 15 additional bugs of low importance.

The security problems discovered by the audit include memory corruption issues, dead code, inconsistent data reads, unsecured zip libraries and encryption cipher bugs.

One of the main problems that TrueCrypt has in relation to security is the new Unified Extensible Firmware Interface (UEFI) now in use. TrueCrypt, as legacy software, never supported this and so the new UEFI-compatible bootloader not only has to cope with bugs caused by this but security flaws which are present due to the feature being new -- having only been released in August.

The majority of these problems have been fixed in VeraCrypt 1.19 and users are asked to update as soon as possible. However, they are not completely protected from the security issues raised through the audit.

On Twitter, security firm Idrix, which worked on the VeraCrypt audit, clarified that the latest update resolves all issues relating to the software itself and also solves one security flaw inherited from TrueCrypt.

The remaining problems present have all come from the days of TrueCrypt, and fixing them at the moment could cause issues with backward compatibility.

The VeraCrypt team have also disabled the GOST 28147-89 encryption standard as it is deemed unsafe. While existing content based on this standard can still be decrypted, users cannot use this algorithm for future encryption projects.

"Some of these issues have not been fixed due to high complexity for the proposed fixes, but workarounds have been presented in the documentation for VeraCrypt," the researchers added. "VeraCrypt is much safer after this audit, and the fixes applied to the software mean that the world is safer when using this software."