Flaw in Super Secret BlackPhone Underscores Third Party Risk

A flaw in the super-secure Black Phone 1 could allow attackers to send SMS text messages or reroute calls without the owner
A flaw in the super-secure Black Phone 1 could allow attackers to send SMS text messages or reroute calls without the owner’s knowledge, the firm SentinelOne reported. (Image courtesy of Silent Circle.)

In-brief: Black Phone contains a security flaw that could enable a malicious actor to redirect phone calls or secretly send text messages from the device, according to a report from the firm SentinelOne. The culprit: vulnerable third party software.*

Black Phone, the super-secure, super-secret smart phone contains a security flaw that could enable a malicious actor to redirect phone calls or secretly send text messages from the device, according to a report from the firm SentinelOne. The culprit is familiar to device makers everywhere: a vulnerable, third-party software library.

Silent Circle, the firm that makes Black Phone, said the issue affects only the Black Phone 1 and that it issued a fix for the vulnerability discovered by SentinelOne in early December. Any Black Phone 1 users who have updated their software since then are protected. Still, the report is a reminder of the risks attendant with developing complex, multi function devices that combine proprietary and third-party hardware and software components.

Black Phone was designed to keep sophisticated snoopers like the NSA at bay. It  is one of the most secure smart phones available to consumers, providing end to end encryption of voice, text and application data and running SilentOS, a stripped-down variant of Google’s Android OS that is optimized for privacy and security.

According to a report released on Wednesday by SentinelOne, the discovery of the vulnerability in a built-in modem feature of the Black Phone was discovered as part of a reverse engineering exercise that the firm conducted. Researchers at the firm discovered an open- and undocumented socket on the device. Online research led SentinelOne staff back to the Icera modem binary from the firm nVidia that was bundled with the Black Phone. Further, a privileged process associated with the modem that listens on the open socket that SentinelOne detected could allow an attacker who had placed a malicious application on the phone to send commands to the radio or even send standardized commands to the radio component on the phone.

In a worst-case scenario, those commands could be used to send SMS messages from the Black Phone that would not be visible to the user, or to set call forwarding on the device to prevent incoming calls from showing up, SentinelOne said in its report.

For Silent Circle, which patched the issue on December 7, the incident was seen as an affirmation of its commitment to keeping its platform secure by responding to reports of critical issues and fixing vulnerabilities quickly, Chief Technology Officer and co-founder Jon Callas told Security Ledger. The company has promised to fix critical bugs within 72 hours of verifying them. In the case of SentinelOne discovery, however, the fix was released a little more than two months after it was reported and one month after Silent Circle confirmed its existence.

[Read more Security Ledger coverage of third party risk.]

“For us: this was a huge success,” Callas said. “This is why we run bug bounty programs: to make our stuff more secure.” Silent Circle paid a bounty for information on the security flaw to the researcher who discovered it through the site BugCrowd, Callas said.

Callas said the issue has prompted Silent Circle to send its internal security team back to look for other, similar vulnerabilities in third-party components. “We want Black Phone to be the most secure Android phone there is,” he said. While perfect security is a laudable goal, Callas said it is also an unattainable one. A better goal is to “take security seriously” as an organization and develop systems for identifying and addressing vulnerabilities in both the hardware and software that run on the devices.

“Every one of us has some device with a serious bug that we don’t know about,” he said. “But if it is fixed before it can be exploited, that’s like the tree that falls in the forest where there’s nobody to hear it.”

Widespread vulnerabilities linked to shared- and open source software, including Heartbleed, Ghost and Stagefright have fixed attention on the risk posed by third-party software and hardware dependencies. Such vulnerabilities often lurk undetected by vendors and their customers and can lead to compromises. For example, attackers exploited the Heartbleed vulnerability in OpenSSL to hack into the network of Community Health Systems in 2014.

(*) Correction: an earlier version of this story included a photo depicting the Black Phone 2. That phone is not affected by the vulnerability discussed in this article. The article has been updated to include a photo of the affected phone, the Black Phone 1. PFR Jan 7, 2016.

Comments are closed.