Mobile
1/6/2016
09:25 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Blackphone Hackable Via Newly Found Bug

Modem flaw in Silent Circle's secure smartphone could be exploited to hijack the phone and intercept and control texts, calls, and other features.

A major security hole has been discovered in Blackphone, the super-secure smartphone from Silent Circle that encrypts phone calls, emails, and text messages, that could allow an attacker to hijack it.

Researchers at SentinelOne today disclosed details of a relatively easy-to-find vulnerability they stumbled upon during a reverse-engineering exercise. They were surprised to discover an open socket that allowed them to communicate with the phone's built-in modem, which opens the door for an attacker to silently send and receive text messages, dial or connect to calls, monitor phone numbers the victim is calling or receiving calls from, tamper with caller ID, redirect the phone to a different cell tower, disable the modem, and forward phone calls to the attacker.

"This is a relatively simple thing that could have been found but nobody did … and on a really secure device. But this was sitting there for a while," says Tim Strazzere, director of mobile research at SentinelOne. "It's a bad vulnerability. But I don't think anyone has used it in the wild" thus far, he says.

And like many bugs found in Internet of Things devices and home modems, the bug was an internal port left wide open. Strazzere says it was likely left often by the developer for debugging purposes. "You can connect to the socket and it allows [you] to run radio commands," he says. The socket, like other such internal ports, allows two programs to interact, he notes.

This is not the first vulnerability discovered in Silent Circle's Blackphone: renowned researcher Mark Dowd last year detailed a memory corruption bug in Blackphone's SilentText messaging app that could be abused to execute code remotely and to take over the phone's controls, including decrypting messages.

Silent Circle fixed the flaw via CVE-2015-6841 on December 7 in its 1.1.13 RCE for the Blackphone. SentinelOne reported to the company on August 25, and the disclosure process was coordinated via Bugcrowd. The bug affects the first-generation Blackphone and not Blackphone 2.

According to Silent Circle, Blackphone 1 users should update to version 1.1.13 RC3 or later. "Further, we are not aware of any known exploits in the wild for this vulnerability," the company said in a blog post today. Steer clear of "untrusted" app sources to avoid downloading malicious apps, the company says. 

This latest Blackphone vulnerability would most likely be used in a targeted attack. "[The previously discovered] vuln was a misconfigured app," Strazzere says. "This [newly discovered one] is more low-level: the modem has a misconfigured file as well, which allows anyone to talk to it," basically bypassing the Android permission-level layer.

Such an attack would come via a rogue app without proper permissions, or remotely executed code planted via a spear phishing email that then could execute an attack, for example, he says. A rogue flashlight app without proper permissions, for example, could send and intercept SMS messages and forward phone calls.

But if an attacker were to dial or connect to calls, the calls would appear on the Blackphone screen, he notes. "But what's interesting is if [I] hijacked the phone with this [vulnerability], I could forward your phone to my phone so you don't receive a call and I accept the calls instead of you," Strazzere says. The attack basically hijacks the cellular operation of the phone, but stops short of grabbing the victim's phonebook, for example, he adds.

The Blackphone uses an Nvidia modem and chipset, and it's the only smartphone that includes that particular modem. Most smartphones use Qualcomm or Mediatech modems.

Even so, other modems could also harbor similar security flaws, Strazzere says. "I think other modems potentially have this issue" as well, he says. 

SentinelOne included technical details of the vulnerability in a blog post today.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Containing Corporate Data on Mobile Devices
Containing Corporate Data on Mobile Devices
If youre still focused on securing endpoints, youve got your work cut out for you. WiFi network provider iPass surveyed 1,600 mobile workers and found that the average US employee carries three devices -- a smartphone, a computer, and a tablet or e-reader -- with more than 80% of them doing work on personal devices.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Join Dark Reading community editor Marilyn Cohodas and her guest, David Shearer, (ISC)2 Chief Executive Officer, as they discuss issues that keep IT security professionals up at night, including results from the recent 2016 Black Hat Attendee Survey.