VeraCrypt security audit reveals many flaws, some already patched
VeraCrypt, the free, open source disk encryption software based on TrueCrypt, has been audited by experts from cybersecurity company Quarkslab.
The researchers found 8 critical, 3 medium, and 15 low-severity vulnerabilities, and some of them have already been addressed in version 1.19 of the software, which was released on the same day as the audit report.
The code auditing effort analyzed VeraCrypt 1.18 and its bootloaders.
“A first step consisted in verifying that the problems and vulnerabilities identified by iSec and NCC Group in TrueCrypt 7.1a for the Open Crypto Audit Project had been taken into account and fixed,” the Quarkslab researchers involved in the effort explained.
“Then, the remaining study was to identify potential security problems in the code specific to VeraCrypt. Contrary to other TrueCrypt forks, the goal of VeraCrypt is not only to fix the public vulnerabilities of TrueCrypt, but also to bring new features to the software.”
A short overview of the issues found (fixed and still not fixed) can be found here. The audit report, with mitigations for still unpatched vulnerabilities, can be downloaded from here.
The auditors have noted that the VeraCrypt project “evolves in a good direction and clearly takes into account assessment conclusions.”
They have praised VeraCrypt’s main developer Mounir Idrassi’s skills and knowledge, as well as his willingness to help with the effort and take into consideration their findings.
“When well received by the project’s developers, [evaluations of security projects] provide useful feedbacks to help the project mature. The openess of the evaluation results help build confidence in the product for the final users,” they concluded.
VeraCrypt is available for Windows, OS X and Linux. More specific information about it can be found here.