Published on January 8th, 2016 📆 | 1886 Views ⚑0
Anti-NSA Blackphone Not So Secure After all
A security flaw in Blackphone 1 smartphone allowed anyone to take control of the device
Blackphone 1 smartphones, one of many privacy-focused phones in the market was found to have a critical vulnerability which allowed attackers to hijack the phone until a recent fix from the manufacturer.
The flaw was discovered by a team of security researchers at SentinelOne while they were having their training sessions that included learning Icera modem that is used in Blackphone 1 smartphones.
What they found was the modem left a socket open to connections and this socket was tied to internal Android daemon that provides all permissions for hijacking the phone.
So, the vulnerability was that it allowed hackers to run shell commands or some other application on the phone which could allow them to send instructions to the phone to make it run according to their will.
The attackers through these instructions could turn on or off the call IDs for the outgoing call, send or receive messages, change phone’s setting, make calls from the phone, avoid phone from ringing, make conference calls, connect to any telephone towers they want to and etc. All in all, if any attacker would have managed to exploit this vulnerability he could easily have controlled the phone remotely and do anything he likes.
SentinelOne was awarded $500 for finding this vulnerability as Silent Circle had a bounty program which rewarded this amount to anyone who finds a vulnerability in their devices.
Silent circle fixed the vulnerability with the issue of PrivatOS1.1.13 RC3, which is a version of company’s own Android operating system used in their Blackphone models.
In a Q&A session, Silent Circle clarified that for the vulnerability to work it required the device to be internally affected by some malware so for users with no infection at all, the vulnerability would not affect the phone. The security fix has been automatically installed on all the devices.
Note: Blackphone 2.x Branch is not affected from this issue so nothing to worry about for users who have any version of Blackphone2.
This is not the first time when Blackphone smartphones were vulnerable to hacking. In the past, a flaw allowed anyone to take over the smartphone with a text message.