Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

1/6/2016
09:25 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Blackphone Hackable Via Newly Found Bug

Modem flaw in Silent Circle's secure smartphone could be exploited to hijack the phone and intercept and control texts, calls, and other features.

A major security hole has been discovered in Blackphone, the super-secure smartphone from Silent Circle that encrypts phone calls, emails, and text messages, that could allow an attacker to hijack it.

Researchers at SentinelOne today disclosed details of a relatively easy-to-find vulnerability they stumbled upon during a reverse-engineering exercise. They were surprised to discover an open socket that allowed them to communicate with the phone's built-in modem, which opens the door for an attacker to silently send and receive text messages, dial or connect to calls, monitor phone numbers the victim is calling or receiving calls from, tamper with caller ID, redirect the phone to a different cell tower, disable the modem, and forward phone calls to the attacker.

"This is a relatively simple thing that could have been found but nobody did … and on a really secure device. But this was sitting there for a while," says Tim Strazzere, director of mobile research at SentinelOne. "It's a bad vulnerability. But I don't think anyone has used it in the wild" thus far, he says.

And like many bugs found in Internet of Things devices and home modems, the bug was an internal port left wide open. Strazzere says it was likely left often by the developer for debugging purposes. "You can connect to the socket and it allows [you] to run radio commands," he says. The socket, like other such internal ports, allows two programs to interact, he notes.

This is not the first vulnerability discovered in Silent Circle's Blackphone: renowned researcher Mark Dowd last year detailed a memory corruption bug in Blackphone's SilentText messaging app that could be abused to execute code remotely and to take over the phone's controls, including decrypting messages.

Silent Circle fixed the flaw via CVE-2015-6841 on December 7 in its 1.1.13 RCE for the Blackphone. SentinelOne reported to the company on August 25, and the disclosure process was coordinated via Bugcrowd. The bug affects the first-generation Blackphone and not Blackphone 2.

According to Silent Circle, Blackphone 1 users should update to version 1.1.13 RC3 or later. "Further, we are not aware of any known exploits in the wild for this vulnerability," the company said in a blog post today. Steer clear of "untrusted" app sources to avoid downloading malicious apps, the company says. 

This latest Blackphone vulnerability would most likely be used in a targeted attack. "[The previously discovered] vuln was a misconfigured app," Strazzere says. "This [newly discovered one] is more low-level: the modem has a misconfigured file as well, which allows anyone to talk to it," basically bypassing the Android permission-level layer.

Such an attack would come via a rogue app without proper permissions, or remotely executed code planted via a spear phishing email that then could execute an attack, for example, he says. A rogue flashlight app without proper permissions, for example, could send and intercept SMS messages and forward phone calls.

But if an attacker were to dial or connect to calls, the calls would appear on the Blackphone screen, he notes. "But what's interesting is if [I] hijacked the phone with this [vulnerability], I could forward your phone to my phone so you don't receive a call and I accept the calls instead of you," Strazzere says. The attack basically hijacks the cellular operation of the phone, but stops short of grabbing the victim's phonebook, for example, he adds.

The Blackphone uses an Nvidia modem and chipset, and it's the only smartphone that includes that particular modem. Most smartphones use Qualcomm or Mediatech modems.

Even so, other modems could also harbor similar security flaws, Strazzere says. "I think other modems potentially have this issue" as well, he says. 

SentinelOne included technical details of the vulnerability in a blog post today.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Survivalindeed
50%
50%
Survivalindeed,
User Rank: Apprentice
2/23/2017 | 8:55:34 AM
Great Article
Thank you very much, that was very interesting 

 
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162
PUBLISHED: 2021-01-15
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
CVE-2021-21245
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...
CVE-2021-21246
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar...