Major Security Flaw Found in Silent Circle's Blackphone
Jan 7, 2016 10:49 AM PT
Security researchers at SentinelOne on Wednesday revealed a vulnerability they discovered in the Blackphone.
The flaw -- an obscure socket -- lets an attacker take over and control communications on the Blackphone, a highly secure Android smartphone Silent Circle developed and marketed in reaction to news of government surveillance of people's communications.
Silent Circle began taking preorders for the device in 2014, and "despite [its] best attempts, a severe zero day remained undetected for nearly a year before we uncovered it," said Tim Strazzere, SentinelOne's director of mobile research.
No Evidence of Exploitation
The vulnerability, a socket left open and accessible on the Nvidia Icera modem used in the Blackphone, lets attackers take control of many of the modem's functions, including sending and receiving text messages, dialing or connecting calls, and changing the phone's settings.
Attackers could use a malicious application that exploits the vulnerability in the background without the device owner's knowledge, Strazzere told TechNewsWorld.
Exploit-based attacks would be used against this open socket, and "any antivirus- or antimalware-based technology wouldn't prevent it," he observed. "Even an HIPS-based solution that focused on exploits would have missed it since this is a zero-day-based vulnerability with no available signatures used for protection."
The options available to an attacker "are extensive," Strazzere remarked, but "we have seen no evidence that [it] was ever used for surveillance or malicious purposes."
The vulnerability was discovered during a reverse engineering exercise to prepare for a Red Naga training session. Red Naga is a security training group Strazzere and friends created to teach, train and grow the mobile security community at no cost.
The Icera modem is fairly obscure, used only by the Nvidia Shield tablet and "a few phones in India," Strazzere noted.
Because it's obscure, few security researches have looked into it, and devices in the field "might not be getting updates or the attention that more popular modems would receive," he said.
Following notification from SentinelOne, Silent Circle patched the vulnerability, which was found on the Blackphone 1.
It's not clear whether it exists in the Blackphone 2, which Silent Circle released in September.
The Third-Party Risk Factor
It's possible the socket was left open for debugging purposes in preproduction and was mistakenly left that way in production devices, Strazzere speculated.
Most mobile makers use third-party technology.
Third parties for both hardware and software components "are part of the supply chain for mobile device manufacturers and represent a significant risk," said Tim Erlin, director of IT security and risk strategy for Tripwire.
However, providing assurance for both hardware and software "has really been limited to high-level government equipment, so there are few assurance operations [for] the consumer goods market," he told TechNewsWorld.
Third-party providers typically are granted access to critical elements of the internal infrastructure and to sensitive data, said István Szabó, product manager at BalaBit. One remedy would be to monitor and record all activities when third parties access internal systems.
Such monitoring "gives the mobile device producer the ability to detect and immediately terminate sessions if something suspicious occurs ... and provides important evidence to help investigations should an incident occur," he told TechNewsWorld.
Another option is to use a behavioral-based technology such as the one SentinelOne offers to detect, prevent and remediate against attacks.
Silent Circle did not respond to our request to comment for this story.