Mobile
1/6/2016
09:25 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Blackphone Hackable Via Newly Found Bug

Modem flaw in Silent Circle's secure smartphone could be exploited to hijack the phone and intercept and control texts, calls, and other features.

A major security hole has been discovered in Blackphone, the super-secure smartphone from Silent Circle that encrypts phone calls, emails, and text messages, that could allow an attacker to hijack it.

Researchers at SentinelOne today disclosed details of a relatively easy-to-find vulnerability they stumbled upon during a reverse-engineering exercise. They were surprised to discover an open socket that allowed them to communicate with the phone's built-in modem, which opens the door for an attacker to silently send and receive text messages, dial or connect to calls, monitor phone numbers the victim is calling or receiving calls from, tamper with caller ID, redirect the phone to a different cell tower, disable the modem, and forward phone calls to the attacker.

"This is a relatively simple thing that could have been found but nobody did … and on a really secure device. But this was sitting there for a while," says Tim Strazzere, director of mobile research at SentinelOne. "It's a bad vulnerability. But I don't think anyone has used it in the wild" thus far, he says.

And like many bugs found in Internet of Things devices and home modems, the bug was an internal port left wide open. Strazzere says it was likely left often by the developer for debugging purposes. "You can connect to the socket and it allows [you] to run radio commands," he says. The socket, like other such internal ports, allows two programs to interact, he notes.

This is not the first vulnerability discovered in Silent Circle's Blackphone: renowned researcher Mark Dowd last year detailed a memory corruption bug in Blackphone's SilentText messaging app that could be abused to execute code remotely and to take over the phone's controls, including decrypting messages.

Silent Circle fixed the flaw via CVE-2015-6841 on December 7 in its 1.1.13 RCE for the Blackphone. SentinelOne reported to the company on August 25, and the disclosure process was coordinated via Bugcrowd. The bug affects the first-generation Blackphone and not Blackphone 2.

According to Silent Circle, Blackphone 1 users should update to version 1.1.13 RC3 or later. "Further, we are not aware of any known exploits in the wild for this vulnerability," the company said in a blog post today. Steer clear of "untrusted" app sources to avoid downloading malicious apps, the company says. 

This latest Blackphone vulnerability would most likely be used in a targeted attack. "[The previously discovered] vuln was a misconfigured app," Strazzere says. "This [newly discovered one] is more low-level: the modem has a misconfigured file as well, which allows anyone to talk to it," basically bypassing the Android permission-level layer.

Such an attack would come via a rogue app without proper permissions, or remotely executed code planted via a spear phishing email that then could execute an attack, for example, he says. A rogue flashlight app without proper permissions, for example, could send and intercept SMS messages and forward phone calls.

But if an attacker were to dial or connect to calls, the calls would appear on the Blackphone screen, he notes. "But what's interesting is if [I] hijacked the phone with this [vulnerability], I could forward your phone to my phone so you don't receive a call and I accept the calls instead of you," Strazzere says. The attack basically hijacks the cellular operation of the phone, but stops short of grabbing the victim's phonebook, for example, he adds.

The Blackphone uses an Nvidia modem and chipset, and it's the only smartphone that includes that particular modem. Most smartphones use Qualcomm or Mediatech modems.

Even so, other modems could also harbor similar security flaws, Strazzere says. "I think other modems potentially have this issue" as well, he says. 

SentinelOne included technical details of the vulnerability in a blog post today.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Survivalindeed
50%
50%
Survivalindeed,
User Rank: Apprentice
2/23/2017 | 8:55:34 AM
Great Article
Thank you very much, that was very interesting 

 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.