Security advisory:

Security Advisory

Security Advisory: Do not scan QR codes submitted through SecureDrop with connected devices

August 31, 2017

Summary

We have recently become aware of attacks attempting to exfiltrate data from the SecureDrop airgapped Secure Viewing Station. These attacks come in the form of QR codes that journalists must scan with an internet-connected device such as a phone. The QR code contains a link that sends exfiltrated data from the airgap environment to an attacker.

Details

Recall that the airgap environment in SecureDrop consists of the Secure Viewing Station, or SVS. It is critical to the security of SecureDrop that data is not unintentionally removed from the airgap environment.  The attacks we are currently aware of come in the form of a SecureDrop submission. The submission will be a .desktop file that when opened will produce a QR code in a .doc file with the text “Password to the attached file can be found at the URL below”.  Further details will appear shortly in the GitHub issue tracking this at https://github.com/freedomofpress/securedrop/issues/2238. Since this issue was disclosed publicly on Twitter, we will be posting in public.

Actions

Never scan QR codes from the airgap/Secure Viewing Station using a network connected device.  Immediately advise all journalists never to scan QR codes from the airgap (Secure Viewing Station) with internet connected devices.

Incident Handling

Immediately ask all journalists if they have received QR codes from the airgap, and if they scanned them with their phones.  Please report to us if you received or scanned QR codes. Do not send us the QR codes that were scanned. If you inform us of successful attack, we will follow with further incident handling instructions.

Support

Please do not hesitate to contact us through this support portal, or via PGP-encrypted email at securedrop@freedom.press using key ID 734F 6E70 7434 ECA6 C007 E1AE 82BD 6C96 16DA BB79.  If you did not receive the Security Advisory via email, please email securedrop@freedom.press and let us know.

Return to News