A major security hole has been discovered in Blackphone, the super-secure smartphone from Silent Circle that encrypts phone calls, emails, and text messages, that could allow an attacker to hijack it.
Researchers at SentinelOne today disclosed details of a relatively easy-to-find vulnerability they stumbled upon during a reverse-engineering exercise. They were surprised to discover an open socket that allowed them to communicate with the phone's built-in modem, which opens the door for an attacker to silently send and receive text messages, dial or connect to calls, monitor phone numbers the victim is calling or receiving calls from, tamper with caller ID, redirect the phone to a different cell tower, disable the modem, and forward phone calls to the attacker.
"This is a relatively simple thing that could have been found but nobody did … and on a really secure device. But this was sitting there for a while," says Tim Strazzere, director of mobile research at SentinelOne. "It's a bad vulnerability. But I don't think anyone has used it in the wild" thus far, he says.
And like many bugs found in Internet of Things devices and home modems, the bug was an internal port left wide open. Strazzere says it was likely left often by the developer for debugging purposes. "You can connect to the socket and it allows [you] to run radio commands," he says. The socket, like other such internal ports, allows two programs to interact, he notes.
This is not the first vulnerability discovered in Silent Circle's Blackphone: renowned researcher Mark Dowd last year detailed a memory corruption bug in Blackphone's SilentText messaging app that could be abused to execute code remotely and to take over the phone's controls, including decrypting messages.
Silent Circle fixed the flaw via CVE-2015-6841 on December 7 in its 1.1.13 RCE for the Blackphone. SentinelOne reported to the company on August 25, and the disclosure process was coordinated via Bugcrowd. The bug affects the first-generation Blackphone and not Blackphone 2.
According to Silent Circle, Blackphone 1 users should update to version 1.1.13 RC3 or later. "Further, we are not aware of any known exploits in the wild for this vulnerability," the company said in a blog post today. Steer clear of "untrusted" app sources to avoid downloading malicious apps, the company says.
This latest Blackphone vulnerability would most likely be used in a targeted attack. "[The previously discovered] vuln was a misconfigured app," Strazzere says. "This [newly discovered one] is more low-level: the modem has a misconfigured file as well, which allows anyone to talk to it," basically bypassing the Android permission-level layer.
Such an attack would come via a rogue app without proper permissions, or remotely executed code planted via a spear phishing email that then could execute an attack, for example, he says. A rogue flashlight app without proper permissions, for example, could send and intercept SMS messages and forward phone calls.
But if an attacker were to dial or connect to calls, the calls would appear on the Blackphone screen, he notes. "But what's interesting is if [I] hijacked the phone with this [vulnerability], I could forward your phone to my phone so you don't receive a call and I accept the calls instead of you," Strazzere says. The attack basically hijacks the cellular operation of the phone, but stops short of grabbing the victim's phonebook, for example, he adds.
The Blackphone uses an Nvidia modem and chipset, and it's the only smartphone that includes that particular modem. Most smartphones use Qualcomm or Mediatech modems.
Even so, other modems could also harbor similar security flaws, Strazzere says. "I think other modems potentially have this issue" as well, he says.
SentinelOne included technical details of the vulnerability in a blog post today.