Security Advisory: Do not scan QR codes submitted through SecureDrop with connected devices
We have recently become aware of attacks attempting to exfiltrate data from the SecureDrop airgapped Secure Viewing Station. These attacks come in the form of QR codes that journalists must scan with an internet-connected device such as a phone. The QR code contains a link that sends exfiltrated data from the airgap environment to an attacker.
Recall that the airgap environment in SecureDrop consists of the Secure Viewing Station, or SVS. It is critical to the security of SecureDrop that data is not unintentionally removed from the airgap environment. The attacks we are currently aware of come in the form of a SecureDrop submission. The submission will be a .desktop file that when opened will produce a QR code in a .doc file with the text “Password to the attached file can be found at the URL below”. Further details will appear shortly in the GitHub issue tracking this at https://github.com/freedomofpress/securedrop/issues/2238. Since this issue was disclosed publicly on Twitter, we will be posting in public.
Never scan QR codes from the airgap/Secure Viewing Station using a network connected device. Immediately advise all journalists never to scan QR codes from the airgap (Secure Viewing Station) with internet connected devices.
Immediately ask all journalists if they have received QR codes from the airgap, and if they scanned them with their phones. Please report to us if you received or scanned QR codes. Do not send us the QR codes that were scanned. If you inform us of successful attack, we will follow with further incident handling instructions.
Please do not hesitate to contact us through this support portal, or via PGP-encrypted email at [email protected] using key ID 734F 6E70 7434 ECA6 C007 E1AE 82BD 6C96 16DA BB79. If you did not receive the Security Advisory via email, please email [email protected] and let us know.