Get the ECT News Network Editor's Pick Newsletter » View Sample | Subscribe
Welcome Guest | Sign In

Major Security Flaw Found in Silent Circle's Blackphone

By Richard Adhikari
Jan 7, 2016 10:49 AM PT

Security researchers at SentinelOne on Wednesday revealed a vulnerability they discovered in the Blackphone.

The flaw -- an obscure socket -- lets an attacker take over and control communications on the Blackphone, a highly secure Android smartphone Silent Circle developed and marketed in reaction to news of government surveillance of people's communications.

Silent Circle began taking preorders for the device in 2014, and "despite [its] best attempts, a severe zero day remained undetected for nearly a year before we uncovered it," said Tim Strazzere, SentinelOne's director of mobile research.

No Evidence of Exploitation

The vulnerability, a socket left open and accessible on the Nvidia Icera modem used in the Blackphone, lets attackers take control of many of the modem's functions, including sending and receiving text messages, dialing or connecting calls, and changing the phone's settings.

Attackers could use a malicious application that exploits the vulnerability in the background without the device owner's knowledge, Strazzere told TechNewsWorld.

Exploit-based attacks would be used against this open socket, and "any antivirus- or antimalware-based technology wouldn't prevent it," he observed. "Even an HIPS-based solution that focused on exploits would have missed it since this is a zero-day-based vulnerability with no available signatures used for protection."

The options available to an attacker "are extensive," Strazzere remarked, but "we have seen no evidence that [it] was ever used for surveillance or malicious purposes."

The vulnerability was discovered during a reverse engineering exercise to prepare for a Red Naga training session. Red Naga is a security training group Strazzere and friends created to teach, train and grow the mobile security community at no cost.

The Icera modem is fairly obscure, used only by the Nvidia Shield tablet and "a few phones in India," Strazzere noted.

Because it's obscure, few security researches have looked into it, and devices in the field "might not be getting updates or the attention that more popular modems would receive," he said.

Following notification from SentinelOne, Silent Circle patched the vulnerability, which was found on the Blackphone 1.

It's not clear whether it exists in the Blackphone 2, which Silent Circle released in September.

The Third-Party Risk Factor

It's possible the socket was left open for debugging purposes in preproduction and was mistakenly left that way in production devices, Strazzere speculated.

Most mobile makers use third-party technology.

Third parties for both hardware and software components "are part of the supply chain for mobile device manufacturers and represent a significant risk," said Tim Erlin, director of IT security and risk strategy for Tripwire.

However, providing assurance for both hardware and software "has really been limited to high-level government equipment, so there are few assurance operations [for] the consumer goods market," he told TechNewsWorld.

Third-party providers typically are granted access to critical elements of the internal infrastructure and to sensitive data, said István Szabó, product manager at BalaBit. One remedy would be to monitor and record all activities when third parties access internal systems.

Such monitoring "gives the mobile device producer the ability to detect and immediately terminate sessions if something suspicious occurs ... and provides important evidence to help investigations should an incident occur," he told TechNewsWorld.

Another option is to use a behavioral-based technology such as the one SentinelOne offers to detect, prevent and remediate against attacks.

Silent Circle did not respond to our request to comment for this story.

Richard Adhikari has written about high-tech for leading industry publications since the 1990s and wonders where it's all leading to. Will implanted RFID chips in humans be the Mark of the Beast? Will nanotech solve our coming food crisis? Does Sturgeon's Law still hold true? You can connect with Richard on Google+.

Contact Center AI Explained by Pop Culture
If my employer requires me to return to the company's office full-time to perform my job, I will...
Agree, because I like my job regardless of where I perform my duties.
Comply, because I can't afford to lose my current job.
Go with the flow, but start looking for different employment.
Resign immediately, so I can dedicate all of my time to find a job that better suits my needs.
Try to negotiate a hybrid work from home / work in office arrangement with my employer.
Contact Center AI Explained by Pop Culture
Contact Center AI Explained by Pop Culture