Even the mighty fall eventually: The first generation Blackphone, generally considered the most secure smartphone available, has a serious security flaw that could allow an attacker to remotely control the phone’s modem functions.
Baddies could use this to wreak havoc in a number of ways, including turning the ringer on and off, setting caller ID as enabled or not on outgoing calls, sending and receiving text messages without being visible to the device, making calls, uncovering calling information (such as what number a call is connected to, and whether it was incoming or outgoing), setting call forwarding to prevent incoming calls and more.
Developed by SilentCircle’s SGP Technologies, the Blackphone provides users control over app permissions, such as the bundled Silent Phone and Silent Text services that anonymize and encrypt communications so no one can eavesdrop on voice, video and text calls.
The Android offering is the heir to the revelations stemming from Edward Snowden's leaks about NSA surveillance; notably, that the NSA interfered with the NIST elliptic curve crypto algorithm. After Snowden’s revelations hit the market, SilentCircle closed down its privacy-conscious email platform in 2013 before reappearing with the improved Blackphone offering in 2014.
But now, as part of a reverse engineering exercise to prepare for a Red Naga training session, SentinelOne discovered a socket that was left open and accessible on the device. The socket is a rare bird—apparently it was otherwise used only by the nVidia Shield tablet, and has since been abandoned by nVidia. So it’s not an obvious choice for hacker probing. Only the first version of the Blackphone is vulnerable, as Blackphone 2 uses a Qualcomm chipset which is not affected.
However, one of the applications that interacts with this socket has elevated privileges as a system/radio user. This privileged process listens on the socket and writes anything that is received from the socket to a port, which in turn is listened to by the radio.
“This means we’ve found a way to talk directly to the modem,” said the firm’s researchers, in an analysis. “This would allow an attacker to either: run as a shell user and send commands to the radio; or potentially have an Android application with an internet permission send commands to the radio.”
The researchers went on to uncover several commands that an attacker could use to carry out the aforementioned attacks.
“Some of the code looks potentially exploitable,” the researchers noted.
The issue has been fixed through the Bugcrowd bug bounty for SilentCircle.
“This vulnerability illustrates the breadth and depth of the attack surface on this and other devices,” SentinelOne researchers noted. “It also raises some important considerations for security professionals. First, even the most ‘secure’ systems can be vulnerable to attacks. Second, the increasing proportion of third party technology (hardware, drivers, software libraries, etc.) used in today’s devices makes detecting and remediating flaws more difficult than ever. And finally, virtually all vulnerabilities require some form of malware in order to be remotely exploited. Monitoring processes on a device can provide an important layer of detection and response when apparently legitimate requests to perform system functions originate from anomalous sources.”
In a statement, Blackphone chief security officer Dan Ford thanked the researchers for contributing to its bug bounty program.
He said: “Vulnerabilities are inevitable. It is how you react to those vulnerabilities that counts. How does Silent Circle react? We patch vulnerabilities and give credit where credit is due. For you see, in most cases product security depreciates faster than taking a new car off the car lot. In order to keep the value from depreciating too quickly you must provide careful and consistent maintenance. We take pride in maintaining the security of all our products and will continue to do so.”
In the first year of its Bug Bounty program, Blackphone parent Silent Circle accepted 71 vulnerabilities across all products, services and platforms and paid out significantly higher than the minimum reward of $128 per vulnerability.
Photo © DW labs Incorporated