Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / Network Security / Major Blackphone Security Flaw Found
Major Blackphone Security Flaw Discovered
Major Blackphone Security Flaw Discovered
By Jef Cozza / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
You might want to think twice before sending that sensitive text message over your supposedly secure Blackphone. A security flaw discovered by an Australian communication security expert could have allowed attackers to decrypt a Blackphone user’s messages, gather location information, and run additional code of the attacker’s choosing.

Blackphone’s manufacturers patched the flaw before it was made public and users can now update their firmware over the air. Still, the news is alarming considering that the Blackphone’s primary aim was to provide users with a secure form of communication. Blackphone has billed itself as the answer to threats from attackers as sophisticated as the NSA (National Security Agency) and its British counterpart, the GCHQ (Government Communications Headquarters).

They Only Need Your Phone Number

The flaw resided in the Silent Text app that comes bundled as part of the phone’s pre-installed security software. Mark Dowd, the founder of the Australian security company Azimuth, was the first to discover the flaw. The messaging app contains a memory corruption vulnerability. Hackers could have used that vulnerability to remotely trigger an attack on the phone, according to a post on Dowd's blog.

“If exploited successfully, this flaw could be used to gain remote arbitrary code execution on the target's handset,” Dowd wrote. “The code run by the attacker will have the privileges of the messaging application, which is a standard Android application with some additional privileges.” Attackers would have even been able to download a list of a user’s contacts by exploiting the flaw, or take complete control of the device, Dowd added.

What may be most disturbing, however, is the ease with which such an attack could have been carried out. Dowd said that all an attacker would have needed to exploit the vulnerability is the phone number or Silent Circle ID number that is associated with the phone. Although the problem has been fixed, the severity of the flaw raises questions about what other vulnerabilities may be lurking on the Blackphone.

Designed To Be Secure

The Blackphone made a splash in the security world when it shipped last summer, amid a wave of revelations of government spying and high-profile criminal hacks. The handset is built as part of a joint venture between Silent Circle, which makes the Silent Circle suite of apps, and the Spanish handset manufacturer Geeksphone. The joint venture is based in Switzerland, the better to assert its privacy bona fides.

The phone runs a customized version of Android KitKat designed to be more secure. Known as PrivatOS, the modified operating system and the $629 smartphone it runs on are supposed to put users' minds at rest when they're sending sensitive communications.

Blackphone allows users to make encrypted phone and video calls and send encrypted text messages via the Silent Circle, Silent Phone and Silent Text apps that come bundled with the handset. Its Wi-Fi manager also works to prevent hackers from attacking via the Wi-Fi connection.

But despite the focus on privacy and security, the Blackphone has nevertheless turned out to be vulnerable to attackers as well.

Tell Us What You Think


Like Us on FacebookFollow Us on Twitter
© Copyright 2018 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.