NSA Proof Blackphone Fixes SMS Hack

By Paul Liu
Monday, April 20th, 2015

---

Blackphone, the world’s first NSA proof and anti-surveillance Smartphone, has been found to contain a vulnerability that could be exploited by a simple SMS hack attack. Security researchers working at Azimuth Security have discovered that the flaw not only compromises the data stored on the phone but it also allowed the attackers to take complete control of the device. SGP Technologies, the company behind Blackphone, fixed the security loophole soon after it was discovered but the episode has certainly raised questions about the security and privacy features available with the device.

Blackphone’s launch in June’ 2014 marked the arrival of a privacy-centric Smartphone that couldn’t be spied upon by the governments, enterprises or hackers. The device was created and marketed by SGP Technologies which is a joint venture between the Spanish Smartphone company GeeksPhone and the encrypted communications firm Silent Circle. The phone is crafted from high end hardware to provide the highest level of security and it runs on a modified version of Android (dubbed as PrivatOS) which is a lot more secure than a typical mobile operating system. To ensure 100% user privacy and security, Blackphone connects to the internet through a VPN and it even comes loaded with Silent Suite, a collection of apps designed to protect privacy.

Despite Blackphone’s impressive privacy features, a research team working at Azimuth Security found a security loophole within the device that could be activated through a simple SMS hack. The flaw was first discovered by Azimuth employee Mark Dowd in August’ 2014 but its details were published only recently once the vulnerability was patched by the creators of Blackphone. As per the details published by Dowd on his blog, the flaw made it possible for the hackers to access the location information, read the contact details stored on the device as well decrypt text messages.

Dowd also explained how the vulnerability could be exploited remotely by the criminals just by knowing the Smartphone’s phone number or Silent Circle ID. The worst thing about the flaw was that once the initial hack was successful, hackers could take complete control of the device just by inserting a simple piece of code. This meant that the phone could be used to distribute malware and even made part of a botnet attack.

The security team researching the vulnerability found that the loophole existed within the Silent Text application, the app used by Blackphone to send and receive messages. Although Silent Text is a typical Android app, it needs certain additional privileges like access to the internet, access to contacts and location information as well as the ability to write information on an external storage device in order to perform the messaging functionality. The loophole made it possible for the hackers to write information on the device’s memory and then use the system privileges of the app to read information from the phone. Silent Circle, on its part, has said that the vulnerability has already been patched and Blackphone users can run a fix on their devices through a simple update process.

---

• VPN Articles and News

April 20, 2015

• 0 Comments
• Leave Comment