Review of SecureDrop Workstation

X41 performed a white box penetration test against the SecureDrop Workstation, which is used to connect to the SecureDrop whistle blower submission system. The system was originally coded by Aaron Swartz and is now managed by the Freedom of the Press Foundation.

The scope included only the laptop that is used by journalists to receive documents and chat messages, open and review them and store them on USB drives or print them. The Server itself and the web site used by sources were not in scope.

The full report of the security audit: https://www.x41-dsec.de/static/reports/X41-SecureDrop-Audit-Final-Report-PUBLIC.pdf

SecureDrop

SecureDrop is an open-source, secure, and anonymous submission system designed for whistleblowers, journalists, and media organizations to communicate and share documents securely.

Results

Four vulnerabilities were discovered, of which two were fully mitigated by the end of the audit. These correspond to the (harmless) filtering of ANSI escape characters in the SecureDrop Workstation updater and an issue enabling journalists with malicious intentions to leak the content of another source upon converting files to PDF before printing.

The remaining two vulnerabilities require an update of the protocol facilitating the communication between the server and the SecureDrop Workstation and this will be addressed in a future version.

The vulnerabilities would allow an attacker with control over the proxy Qube to partially man-in-the-middle communication between the source and a journalist and tamper with documents. This is due to the absence of data signing between the server and the sd-app (or another non sd-proxy) qube.

Exploiting these vulnerabilities would require overcoming significant prior hurdles. Further, the vulnerabilities are limited in impact due to the exemplary application of defense-in-depth. Combined with a very proactive and competent security team, the efforts have resulted in a very hardened environment that will pose a formidable target even for the most advanced attackers.

The reported informational findings highlight, among other things, gaps in git commit signing enforcement, the use of weak hashing algorithms and the absence of mitigations against compromised submission keys.

Conclusion

While vulnerabilities were identified, none are considered easily exploitable by attackers. This lowers their practical risk and indicates that SecureDrop Workstation is on a good security level compared to systems of similar size and complexity. The mitigation of the informational findings would make the system more resilient and would benefit SecureDrop installations for a defense in-depth approach.