In a mobile market now replete with reports of celebrity phone hacks, data breaches and NSA surveillance, SGP Technologies touts its Blackphone handset as one of the most secure smart phone out there than can protect a user’s privacy.
The Blackphone, however, is not a secure as it’s made up to be according to one security expert who purchased one of the phones (valued around US$630) only to find out that it had a vulnerability that could potentially allow hackers to take remote command of the handset. The vulnerability has since been patched by both Blackphone and encryption communication firm Silent Circle.
“While exploiting my recently purchased Blackphone, I discovered that the messaging application contains a serious memory corruption vulnerability that can be triggered by remotely by an attacker,” according to Mark Dowd, principal consultant with the Azimuth Security, consultancy firm in Australia. “If exploited successfully, this flaw could be used to gain remote arbitrary code execution of the target’s handset.
The attacker would then be able to control the messaging application, which is a standard Android application, Dowd said in his recent blog.
The attacker only needs to know the target’s Silent Circle ID or phone number to exploit the flaw. Silent Circle is a subscription service which ensures phone calls, text messages and video chats sent by a subscriber of other Silent Circle member, are secured and encrypted end-to-end from their iOS, Android or Windows PC device.
Using the vulnerability, it would be possible for the attacker to:
- Decrypt messages and commandeer the Silent Circle account
- Gather location information
- Access the user’s contacts
- Write to external storage
- Run additional code such as privilege escalation exploits to gain root or kernel access
This not the first time a crack in the Blakphone’s armour was found.
In Last year’s Def Con hackers conference in Las Vegas, John Sawyer, CTO of Applied Cybersecurity LLC, demonstrated a Blackphone hack.
The hack, however would have required an attacker to have the phone’s PIN code, physical access to the phone and connect it to a PC using a USB. The phone would also need to have no encryption installed on it.