Wednesday, May 28, 2014

TrueCrypt-end

Today, the TrueCrypt website and SourceForge project page suddenly changed, indicating the end of TrueCrypt development. truecrypt.org now redirects to their SourceForge project page, and the content has been replaced with a surprising message:


Not only has development officially ceased, but TrueCrypt is being declared "not secure", and the official webpage is suggesting that people migrate to BitLocker!  (BitLocker is the drive encryption solution built in to some versions of Windows Vista and later.)  Furthermore, a new version 7.2 had been released, which warns users that TrueCrypt is insecure. The repository had been scrubbed, and all previous binaries had been deleted.

I'm sure you could almost hear the collective WTF?! from everyone in the InfoSec community.

A series of edits indicating that the software had been discontinued were even posted to the TrueCrypt Wikipedia page by a user with the handle Truecrypt-end.

At first, it seemed like some pranksters had managed to take over the TrueCrypt website, and poke fun by suggesting users migrate to their inferior commercial competitor, BitLocker.  Well, the DNS records had not changed, so everything was good there. And SourceForge indicated that there was no suspicious behavior on the account (ya know, aside from closing everything down!)

Of course there are rumors abound at all of the tech watering holes, from Slashdot to the /r/sysadmin subreddit  to the InfoSec Stack Exchange site and of course Twitter.  While many still believe that the project was hacked, others are pondering the possibility that the devs were asked to insert a back-door, and subject to a gag-order preventing them from disclosing the requirement.  The TrueCrypt development team has remained behind the big black curtain for most of its development which makes the situation even more curious. Perhaps a vulnerability had been discovered and the developers simply didn't want to be involved with the product any more. There is certainly no shortage of opinions on the matter. The most interesting theory I've heard is that this is a sort of warrant canary.


So what about this new version 7.2?

The binaries were signed with the same GPG key as all previous releases, indicating that this release was "official", or at least produced by someone with access to the private key.

Internally, the TrueCrypt.exe executable and the truecrypt(-x64).sys drivers were signed (a la Microsoft Authenticode) with a different certificate than 7.1.1, but that certificate expired shortly after the last release. This new certificate was issued (to the same named entity) shortly before the previous certificate expired. It's very unlikely that someone was able to spoof a new certificate in this manner, and had planned it two years ago.  [Screenshots tomorrow.]

The changes to the latest version's source code were posted to GitHub.  This paints probably the most confusing picture of all.  

First, the code has been littered with warning messages and error codes indicating that "Using TrueCrypt is not secure".  Next, we see that pretty much all of the code related to creating encrypted volumes has been removed, and replaced with AbortProcess ("INSECURE_APP");. We also notice that all code related to updates, error reporting, user's guide/help, or anything pointing back to the TrueCrypt website has been removed.  Clearly, the developers consciously made the decision to burn all bridges, and carefully executed a plan to do so.

What's very bizarre however, is that while there were 4112 deletions, there were also 1760 additions to the code. Along with other minor bugfixes, it appears that in-place decryption was newly implemented.  It looks as if this was code that was part of an upcoming release that brought some improvements after a two-year break. Unfortunately, it also came with mass deletions that rendered the software useless for anyone seeking to create encrypted content.

What are you thoughts?