Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Kelly Jackson Higgins, Editor-in-Chief, Dark Reading
January 6, 2016
3 Min Read
A major security hole has been discovered in Blackphone, the super-secure smartphone from Silent Circle that encrypts phone calls, emails, and text messages, that could allow an attacker to hijack it.
Researchers at SentinelOne today disclosed details of a relatively easy-to-find vulnerability they stumbled upon during a reverse-engineering exercise. They were surprised to discover an open socket that allowed them to communicate with the phone's built-in modem, which opens the door for an attacker to silently send and receive text messages, dial or connect to calls, monitor phone numbers the victim is calling or receiving calls from, tamper with caller ID, redirect the phone to a different cell tower, disable the modem, and forward phone calls to the attacker.
"This is a relatively simple thing that could have been found but nobody did … and on a really secure device. But this was sitting there for a while," says Tim Strazzere, director of mobile research at SentinelOne. "It's a bad vulnerability. But I don't think anyone has used it in the wild" thus far, he says.
And like many bugs found in Internet of Things devices and home modems, the bug was an internal port left wide open. Strazzere says it was likely left often by the developer for debugging purposes. "You can connect to the socket and it allows [you] to run radio commands," he says. The socket, like other such internal ports, allows two programs to interact, he notes.
This is not the first vulnerability discovered in Silent Circle's Blackphone: renowned researcher Mark Dowd last year detailed a memory corruption bug in Blackphone's SilentText messaging app that could be abused to execute code remotely and to take over the phone's controls, including decrypting messages.
Silent Circle fixed the flaw via CVE-2015-6841 on December 7 in its 1.1.13 RCE for the Blackphone. SentinelOne reported to the company on August 25, and the disclosure process was coordinated via Bugcrowd. The bug affects the first-generation Blackphone and not Blackphone 2.
According to Silent Circle, Blackphone 1 users should update to version 1.1.13 RC3 or later. "Further, we are not aware of any known exploits in the wild for this vulnerability," the company said in a blog post today. Steer clear of "untrusted" app sources to avoid downloading malicious apps, the company says.
This latest Blackphone vulnerability would most likely be used in a targeted attack. "[The previously discovered] vuln was a misconfigured app," Strazzere says. "This [newly discovered one] is more low-level: the modem has a misconfigured file as well, which allows anyone to talk to it," basically bypassing the Android permission-level layer.
Such an attack would come via a rogue app without proper permissions, or remotely executed code planted via a spear phishing email that then could execute an attack, for example, he says. A rogue flashlight app without proper permissions, for example, could send and intercept SMS messages and forward phone calls.
But if an attacker were to dial or connect to calls, the calls would appear on the Blackphone screen, he notes. "But what's interesting is if [I] hijacked the phone with this [vulnerability], I could forward your phone to my phone so you don't receive a call and I accept the calls instead of you," Strazzere says. The attack basically hijacks the cellular operation of the phone, but stops short of grabbing the victim's phonebook, for example, he adds.
The Blackphone uses an Nvidia modem and chipset, and it's the only smartphone that includes that particular modem. Most smartphones use Qualcomm or Mediatech modems.
Even so, other modems could also harbor similar security flaws, Strazzere says. "I think other modems potentially have this issue" as well, he says.
SentinelOne included technical details of the vulnerability in a blog post today.
About the Author(s)
Editor-in-Chief, Dark Reading
Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.
You May Also Like
Unbiased Testing. Unbeatable ResultsFeb 22, 2024
Unbiased Testing. Unbeatable ResultsFeb 22, 2024
Your Everywhere Security guide: Four steps to stop cyberattacksFeb 27, 2024
Your Everywhere Security Guide: 4 Steps to Stop CyberattacksFeb 27, 2024
API Security: Protecting Your Application's Attack SurfaceFeb 29, 2024
A screen displaying many different types of charts and graphs to show what data is being analyzed.Cybersecurity Analytics