Blackphone given black eye by vulnerability discovery

A vulnerability that allows an attacker to act as a 'shell user' on the first version of SilentCircle's Blackphone has been discovered by SentinelOne.

SilentCircle Blackphone vunlerability discovered.
SilentCircle Blackphone vunlerability discovered.

A vulnerability that allows an attacker to act as a ‘shell user' on the first version of SilentCircle's Blackphone has been discovered by SentinelOne, purveyors of endpoint security.

The Blackphone gained notoriety in the security industry for being the only phone that provides users control over app permissions, such as the bundled Silent Phone and Silent Text services that anonymise and encrypt communications so no one can eavesdrop on voice, video and text calls.

In speaking with SCMagazine.com, SentinelOne chief security officer Udi Shamir said Silent Circle left an open socket that an attacker could use to communicate with the phone's modem directly. The flaw only affected the Blackphone 1. SilentCircle's Blackphone 2 was not impacted by the vulnerability, Shamir said.

While preparing for a Red Naga training session, SentinalOne's research team found a vulnerability within the Nvidia modem onboard the Blackphone. In a blog post about the vulnerability, SentinalOne director of mobile research Tim Strazzere wrote that they discovered a socket was left open and accessible:

shell@blackphone:/dev/socket $ ls -l at_pal
srw-rw-rw- radio system 2015-07-31 17:51 at_pal

This meant that the following was possible:

  • Sending / receiving text messages or without the user knowing in any way
  • Dial or connect calls 
  • Check the state of phone calls silently 
  • Reset APN/SMSC/Power settings
  • Force conference calls with other numbers
  • Force/unforce caller ID settings
  • Find neighbouring cell towers connected to
  • Silently register a call forwarding number

The vulnerability has now been patched, Shamir told SCMagazine.com. He said there was no evidence that the vulnerability was actively exploited, but added, “Unfortunately, you usually hear of exploits much later.”

SentinelOne CMO Scott Gainey said while SilentCircle is heavily focused on security, “even they fell victim to a severe vulnerability within their code.” He said SilentCircle's responsiveness in working with SentinelOne's research team “set an example that other manufacturers should pay attention to and follow.”

Strazzere wrote on the blog post that, “The Blackphone is generally considered the most secure smartphone available today.”

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS