I am a security researcher who focuses on nation-state/highly privileged attackers, Internet-scale vulnerabilities, and election security. I am currently working on Google's Production Security team to mitigate insider threats, secure core infrastructure, and improve the overall security of Google's products and services. Outside of work, I am still actively researching Internet-scale computer security issues and trying to improve the security and privacy of the Internet as a whole.

My Ph.D. research focused on studying nation-state attackers such as the NSA, GCHQ, and other intelligence agencies to understand their approach to security issues and identify weaknesses that are form-fitted to their ability. Throughout grad school, I was advised by Prof. J. Alex Halderman and funded by an NSF Graduate Research Fellowship, the Post-9/11 GI Bill, Google ATAP, and others.

My work has helped explain intelligence agencies' abilty to defeat widely used cryptography, identify and analyze the danger posed by TLS crypto shortcuts, and demonstrated the real-world threat of technical interference in elections by foreign actors. This research has been covered and cited by The Wall Street Journal, The Washington Post, Ars Technica, The Guardian, US-CERT, NIST, FBI Cyber Division, and Playboy, and it has prompted multiple times during the development of TLS 1.3. Outside of academia, I contribute to open-source projects, hunt vulnerabilities, and occasionally fix RFC bugs during job interviews.


Select Publications

Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice

David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thomé, Luke Valenta, Benjamin VanderSloot, Eric Wustrow, Santiago Zanella-Béguelin, and Paul Zimmermann
22nd ACM Conference on Computer and Communications Security (CCS ’15), October 2015
Best Paper Award
Pwnie Award for Most Innovative Research

Measuring the Security Harm of TLS Crypto Shortcuts

Drew Springall, Zakir Durumeric, and J. Alex Halderman
16th ACM Internet Measurement Conference (IMC ’16), November 2016

Security Analysis of the Estonian Internet Voting System

Drew Springall, Travis Finkenauer, Zakir Durumeric, Jason Kitcat, Harri Hursti, Margaret MacAlpine, and J. Alex Halderman
21st ACM Conference on Computer and Communications Security (CCS ’14), November 2014


Words of Wisdom

Reminder: If it's not exploitable now, that doesn't mean it won't be later Image Source: Der Spiegel