Review of SecureDrop Workstation

X41 performed a white-box penetration test against SecureDrop Workstation, which is used to connect to the SecureDrop whistleblower submission system. The system was originally coded by Aaron Swartz and is now managed by the Freedom of the Press Foundation.

The scope included only the laptop that is used by journalists to receive documents and chat messages, open and review them, and store them on USB drives or print them. SecureDrop Server and the website used by sources were not in scope.

The full report of the security audit: https://www.x41-dsec.de/static/reports/X41-SecureDrop-Audit-Final-Report-PUBLIC.pdf

SecureDrop

SecureDrop is an open-source, secure, and anonymous submission system designed for whistleblowers, journalists, and media organizations to communicate and share documents securely.

Results

Four vulnerabilities were discovered, of which two were fully mitigated by the end of the audit. These correspond to the (harmless) filtering of ANSI escape characters in the SecureDrop Workstation updater and an issue enabling sources with malicious intentions to potentially leak the content of another source upon converting files to PDF before printing.

The remaining two vulnerabilities require an update of the protocol facilitating the communication between the SecureDrop Server and Workstation. This will be addressed in a future version.

The vulnerabilities allow an attacker with control over the proxy qube to partially machine-in-the-middle communication between the source and a journalist, allowing them to tamper with documents. This is due to the absence of data signing between the server and the sd-app (or another non sd-proxy) qube.

Exploiting these vulnerabilities would require overcoming significant prior hurdles. Further, the vulnerabilities are limited in impact due to the exemplary application of defense in depth. Combined with a very proactive and competent security team, the efforts have resulted in a very hardened environment that will pose a formidable target even for the most advanced attackers.

The reported informational findings highlight, among other things, gaps in git commit signing enforcement, the use of weak hashing algorithms and the absence of mitigations against compromised submission keys.

Conclusion

While vulnerabilities were identified, none are considered easily exploitable by attackers. This lowers their practical risk and indicates that SecureDrop Workstation is on a good security level compared to systems of similar size and complexity. Mitigating the informational findings would make the system more resilient and would benefit SecureDrop installations for a defense-in-depth approach.