VeraCrypt audit reveals eight critical vulnerabilities
Ostif, the organization that organized the VeraCrypt audit, reports that the company QuarksLab has completed the verification of the source code of the encryption software. The audit revealed a total of eight critical vulnerabilities, in addition to three moderate and 15 minor vulnerabilities.
As a result of the audit, VeraCrypt has now released version 1.19, which solves a large part of the problems from the audit. Ostif writes that some vulnerabilities have not been addressed due to their complexity, but that VeraCrypt has described workarounds in its documentation. QuarksLab reports that the audit focused on version 1.18 of the VeraCrypt software, which brought some improvements over its predecessor TrueCrypt. The development of this software was suddenly stopped in 2014.
The first step of the audit was to verify that the issues identified in the previous audit of version 7.1a of TrueCrypt had been resolved. Next, QuarksLab took a closer look at the new features VeraCrypt introduced. For example, support for non-western encryption algorithms, uefi support and the ability to use mouse movements to add randomness to the encryption key.
Among the critical vulnerabilities is the availability of the GOST algorithm. Due to implementation errors, QuarksLab has recommended that this be removed completely from version 1.19. The implementation of aes is still vulnerable to timing attacks, according to the researchers, but a solution has not yet been implemented because this part needs to be rewritten. Another vulnerability involved Xzip and XUnzip. These parts had to be completely rewritten and have therefore been replaced by libzip.
The QuarksLab researchers write that maintaining VeraCrypt is a difficult task because it requires knowledge of the Windows kernel, various operating systems, the system boot chain, and cryptography. The changes made by Idrix, the organization behind VeraCrypt, would attest to the presence of these skills. Users can use the VeraCrypt software to, for example, encrypt their hard drive and create secure containers.