Public Report – Lantern and Replica Security Assessment
Editor's Note: This security assessment was conducted by a team of our consultants, one of whom, Victor Hora, tragically and unexpectedly passed away a few weeks ago. As we publish this report, we miss our dear colleague immensely and celebrate Victor's life and his wonderful influence on the world. He was a talented security consultant, beloved colleague, and friend to all, who made the world a better place through his kindness, his joy, and - as we see in this publication - his commitment to using his deep technical talents to help serve others and protect the most vulnerable. May his memory serve as an everlasting reminder of the many ways our joy and talent can be used to help others and leave the world a better place than we found it.
From September 28th through October 23rd, 2020, Lantern – in partnership with the Open Technology Fund – engaged NCC Group to conduct a security assessment of the Lantern client. Lantern provides a proxy in order to circumvent internet censorship. This assessment was open ended and time-boxed, providing a best-effort security analysis in a fixed amount of time. Source code was provided to the engagement team.
In the winter of 2022, NCC Group was asked to re-evaluate several findings after remediation efforts had been completed for Lantern, which are also included in this Public Report.
Scope Limitations
NCC Group’s evaluation included:
- Lantern Common Core: The main component of the software is the cross-platform Lantern core. The core is written principally in Go with some components in other languages, including C, C++, Objective-C, and JavaScript. Testing was performed on the Windows, Android, and iOS client implementations.
- Replica: A new component within Lantern which is a censorship-resistant P2P content sharing platform. Replica leverages the BitTorrent protocol to provide distributed data access. The following third-party libraries are used to provide BitTorrent functionality:
– https://github.com/anacrolix/torrent
– https://github.com/anacrolix/confluence
This application is intended for use in countries where the Internet is censored and therefore its threat model includes risks related to attribution and privacy attacks beyond just software security vulnerabilities. Included in that threat model are well-resourced attackers with advanced capabilities such as reading or modifying HTTP/HTTPS traffic unbeknownst to the targets. Testing was performed on a production version of the client made available at https://getlantern.org/.
NCC Group achieved adequate coverage of the Go code, which forms the backbone of the Lantern client. Some related components were not evaluated:
- Server-side components were not in scope for the assessment.
- The project relies on many third-party libraries. These libraries were not thoroughly evaluated.
The Public Report for this review may be downloaded below: