VeraCrypt security audit: Four PGP-encoded emails VANISH

Security researchers running a project to audit open source disk encryption tool VeraCrypt have been spooked by the mysterious disappearance or non-arrival of encrypted communications.

The OSTIF (the Open Source Technology Improvement Fund) mounted an effort to get VeraCrypt independently audited at the start of August. Vulnerability researchers from QuarksLab were recruited to lead the efforts, which is setting out to look for security vulnerabilities or other shortcomings in VeraCrypt's code.

“Using funds that were donated by DuckDuckGo and VikingVPN, we plan to hire QuarksLab to go over the code and search for vulnerabilities and backdoors,” OSTIF explains.

The project parallels a similarly motivated audit of VeraCrypt's predecessor, TrueCrypt. The organisations behind the exercise hope to go public with their findings in mid-September. Until then, participants of the project need to maintain the utmost secrecy.

“The team has been instructed to give any results of this audit directly to the lead developer of VeraCrypt using heavily encrypted communications,” it said. “This is to prevent their research from leaking zero-day vulnerabilities to the public, and so that the OSTIF does not have access to the results ahead of the public.”

Snoop dogged?

Sounds like a plan. However participants in the audit project have been thrown off their game by the mysterious disappearance of four PGP-encoded email messages, each sent by independent parties. OSTIF suspects snooping rather than misadventure.

We have now had a total of four email messages disappear without a trace, stemming from multiple independent senders. Not only have the emails not arrived, but there is no trace of the emails in our “sent” folders.

In the case of OSTIF, this is the Google Apps business version of Gmail where these sent emails have disappeared.

This suggests that outside actors are attempting to listen in on and/or interfere with the audit process.

OSTIF has switched to a different (Unspecified) communications process which might be a sensible course of action anyway, since PGP is notoriously difficult to use and offers no better security than secure messaging alternatives. “If nation-states are interested in what we are doing we must be doing something right,” OSTIF concludes.

Well it’s tempting to think a spy agency might be involved - after all they have the biggest pool of resources to call on - it’s not beyond the bounds of possibility that a profit-motivated hacker might be behind the nobbled communications. Zero-day vulnerabilities in VeraCrypt would easily commend a tidy pay-off from exploit brokers.

It’s all great fodder for conspiracy theorists who, as security industry veteran Graham Cluley notes, have already had a field day over TrueCrypt’s mysterious retirement two years ago. ®