BEST OF THE WEB

Blackphone hack highlights Def Con

The battle over who has the most secure smart phone has racheted up in the past year with the revelations by former NSA contractor Edward Snowden of the capabilities of some Western electronic spy agencies.

At last week’s Def Con hacker conference in Las Vegas it accelerated with reports that the new SGP Technologies’ Blackphone, which uses an enhanced version of Android,  had allegedly been rooted in five minutes.

For CSOs hoping to have found a handset that C-level execs could trust it might have been a deflating moment. The fact is the conference attracted people who could get into BlackBerrys and other mobile devices as well. And  as outlined by Ars Technica in this article. the Blackphone hack didn’t take five minutes and relied on a number of narrow circumstances.

Jon Sawyer, the CTO of Applied Cybersecurity LLC, came up with the Blackphone hack, but it required the attacker have physical access to the handset and connect it to a PC via USB, the phone be configured against the set-up recommendations of the manufacturer, that no encryption be installed on it, have the user ignore an unknown application source warning and have the phone’s PIN code.

Whew. As the Ars writer said, the hacker either would have to have got the phone from a very naïve user (Editor’s note: not so unimaginable), or bought the phone himself.

The article has a longer explanation of Sawyer’s attack. Blackphone said it has already issued a patch for one of the vulnerabilities

As for the vulnerabilities of other smart phones, the article notes that at the Black Hat conference, also in Las Vegas last week, researchers showed how the embedded over the air management interfaces used by wireless carriers to push configuration updates could be used to gain root access to BlackBerrys, some Android phones and some iOS devices.

Some hacks are easier than others. No device is completely secure. But IT security pros should be able to advise their staff about appropriate measures to lower risk (like, if you’re talking about an acquisition use a code name for the target company). Lowering risk is what it’s all about.

 

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web