Editor’s note – story updated at 9:30 AM to reflect Silent Circle’s blog post response to the issue.
The Blackphone may be designed to emphasize user privacy, but even it is prone to security vulnerabilities that bore potential for criminal exploit, according to a mobile security researcher.
Tim Strazzere, director of mobile research at SentinelOne, discovered a vulnerability in the modem of the Blackphone, a mobile device made by Silent Circle that is made to prioritize user privacy. An Android device, Blackphone has customized software from Silent One to improve privacy and security aspects. After hearing that Silent Circle was planning to release the Blackphone 2, Strazzere decided to take a close look at the first Blackphone that he had in his possession.
Preparing for a training presentation at Defcon, Strazzere applied the vulnerability-discovering process that he was going to teach to his Blackphone and bingo – he stumbled across a big hole. It led to a cash reward and a patch being released by Silent Circle.
“People keep doing the same mistakes and people don’t understand how we find these – it’s not black magic,” Strazzere says. In fact, he considers himself a white hat hacker. “We want to train people on how to find these and why they’re occurring.”
The vulnerability was related to an open socket used by the modem in Blackphone. The modem is manufactured by nVidia – a company not usually in the business of making modems – and has been used in very few products ever released to market. Blackphone was first released in June 2014.
If an attacker were to learn of the vulnerability, and chose to exploit it, it could have been done through an app with malicious components, Strazzere says. Usually apps that require specific communications access or memory access must get permission from the user, but by using this vulnerability to communicate directly to the modem, that could have been bypassed.
“You’re just telling the modem directly, so the Android software doesn’t know what’s going on,” he says.
In a blog post response that also went live on Wednesday, Silent Circle thanked Strazzere for his work and emphasized that it has a policy of rapid response to patching vulnerabilities, being transparent, and giving credit to those who find the bugs (plus a bounty payment).
“In most cases product security depreciates faster than taking a new car off the car lot,” writes Dan Ford, chief product officer at Silent Circle. “In order to keep the value from depreciating too quickly you must provide careful and consistent maintenance.”
The vulnerability only affects the first Blackphone, not the new Blackphone 2, Ford points out. Original Blackphone users should ensure they are upgraded to version 1.1.13 RC3 or later.
In a blog post that goes into technical detail on how the vulnerability worked, Strazzere lists the actions an attacker could have executed:
- Prevent the phone from ringing
- Change the caller ID to be enabled or not for outgoing calls
- Send an SMS message that wouldn’t be visible to the Android system
- Set up call forwarding that would prevent incoming calls from showing on the device
- Checking the state of phone calls, or even dialling a number, or forcing a conference call
- Finding the neighbouring cell towers connected to
Strazzere notified Silent Circle of the problem and the issue has since been fixed. The researcher commends the company for its quick reaction to his find. He even collected a $500 reward through a bounty program the company offers.
“I put new tires on my motorcycle, so I was happy,” he says.
Silent Circle says that its Security Center app provides a counter measure to malicious apps that could have attempted to use this vulnerability. That function lists all the apps on a device and is prompted by each new app install.
It’s not the first time a major vulnerability has been uncovered in Blackphone. An Australian researcher discovered a problem with Silent One’s messaging application in January 2015. That vulnerability was also patched.
Buyers should look to buy products from companies like Silent Circle that are transparent they encounter and responsive in fixing them, Strazzere says. He points out that the Blackphone 2 is already out, yet Silent Circle still supported its original Blackphone users by patching the vulnerability.