Blackphone Security Flaws Have Been Addressed

Hi all,

Several patches have been issued for the privacy-focused Blackphone 1, the flaws include a modem vulnerability that could have been exploited by malicious actors to take control of the device.

Blackphone, is deemed to be one of the most secure Smartphones with applications designed to encrypt voice and text communications to prevent hackers from intercepting potentially sensitive information. The researchers at endpoint security firm SentinelOne, found an open and accessible socket in the Blackphone during a reverse engineering exercise for a training session. The socket had been associated with NVIDIA’s Icera modems which were abandoned in May 2015 by the manufacturer.

According to the analysis, the Icera modem binary namedagps_daemon interacted with the open socket.Agps_daemon, which had elevated privileges, listened on the open socket and wrote anything it received to a port that it opened (ttySHM3).

They believe that this can be used to communicate with the device’s modem since it listened to the ttySHM3 port.

This allows an attacker with shell user privileges to exploit this bug and send commands to the modem. For this, the attacker has to create a  special Android application with Internet permissions, to send the commands.

The list of commands available to an attacker includes ones for muting the modem to prevent ringing, toggling caller ID on outgoing calls, sending and receiving SMS messages without the victim’s knowledge, setting up call forwarding and preventing the user from seeing the incoming call, connecting a call (visible to the victim), silently checking the state of phone calls, resetting various settings, forcing conference calls, and finding neighboring cell towers.

Tim Strazzere, director of mobile research at SentinelOne, told SecurityWeek that an attacker would need to find a way to execute code on the targeted device before exploiting this vulnerability. This could be done using malware disguised as an application that the user is tricked into installing on their Blackphone.

This issue can be rated as having medium-high severity, he said.

Last August, SentinelOne reported this bug via BugCrowd-hosted bug bounty program. Silent Circle classified this flaw as a potential privilege escalation (CVE-2015-6841), the usual reward is $128 per bug, but in this case SentinelOne was awarded $500.

Silent Circle patched the vulnerability on Dec. 7 with the release of PrivatOS 1.1.13 RC3, which also resolves several other security holes, including denial-of-service (DoS), information disclosure, privilege escalation, code execution and Stagefright flaws.

Silent Circle has clarified that Blackphone 1 running versions 1.1.13 RC2 and prior of PrivatOS are affected, but Blackphone 2 is not impacted. The vendor also said that this vulnerability could affect any device using the NVIDIA Icera modem.

By default, the Blackphone is designed to periodically check for PrivatOS updates, which are installed over-the-air (OTA).



Source: Akati

Comments are closed.