Blackphone flaw allows hackers to take control of handset

In a mobile market now replete with reports of celebrity phone hacks, data breaches and NSA surveillance, SGP Technologies touts its Blackphone handset as one of the most secure smart phone out there than can protect a user’s privacy.

The Blackphone, however, is not a secure as it’s made up to be according to one security expert who purchased one of the phones (valued around US$630) only to find out that it had a vulnerability that could potentially allow hackers to take remote command of the handset. The vulnerability has since been patched by both Blackphone and encryption communication firm Silent Circle.

“While exploiting my recently purchased Blackphone, I discovered that the messaging application contains a serious memory corruption vulnerability that can be triggered by remotely by an attacker,” according to Mark Dowd, principal consultant with the Azimuth Security, consultancy firm in Australia. “If exploited successfully, this flaw could be used to gain remote arbitrary code execution of the target’s handset.

Blackphone secure smart phone specs

The attacker would then be able to control the messaging application, which is a standard Android application, Dowd said in his recent blog.

The attacker only needs to know the target’s Silent Circle ID or phone number to exploit the flaw. Silent Circle is a subscription service which ensures phone calls, text messages and video chats sent by a subscriber of other Silent Circle member, are secured and encrypted end-to-end from their iOS, Android or Windows PC device.

Using the vulnerability, it would be possible for the attacker to:

  • Decrypt messages and commandeer the Silent Circle account
  • Gather location information
  • Access the user’s contacts
  • Write to external storage
  • Run additional code such as privilege escalation exploits to gain root or kernel access

This not the first time a crack in the Blakphone’s armour was found.

In Last year’s Def Con hackers conference in Las Vegas, John Sawyer, CTO of Applied Cybersecurity LLC, demonstrated a Blackphone hack.

The hack, however would have required an attacker to have the phone’s PIN code, physical access to the phone and connect it to a PC using a USB. The phone would also need to have no encryption installed on it.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Nestor E. Arellano
Nestor E. Arellano
Toronto-based journalist specializing in technology and business news. Blogs and tweets on the latest tech trends and gadgets.

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now