Security Experts:

Researchers Uncover Security Vulnerabilities in Ultra-Private Blackphone

Multiple vulnerabilities have been identified in Blackphone, the first smartphone developed with security and privacy in mind, a researcher announced on Twitter on Sunday.

Jon "Justin Case" Sawyer, CTO of Applied Cybersecurity, and Tim "diff" Strazzere, lead research and response engineer at Lookout Mobile Security, gave a talk titled "Android Hacker Protection Level 0" at Def Con 22 in Las Vegas on Sunday. In addition to their presentation, Sawyer announced that they've also managed to hack the Blackphone.

Blackphone RootedBlackphone is powered by a security-enhanced operating system, PrivatOS, which is built on Android KitKat and designed to provide users protection and control over security issues.

Sawyer said they uncovered three vulnerabilities, which he described on Twitter as "USB debugging/dev menu removed, open via targeted intent," "remotewipe app runs as system, and is debuggable, attach debugger get free system shell" and "system user to root, many available."

Dan Ford, chief security officer at SGP Technologies, the joint venture of Silent Circle and Geeksphone that produces Blackphone, provided some clarifications on Sunday after having a chat with the researcher.

Sawyer published a screenshot to demonstrate that he could gain root access and enable the Android Debugging Bridge (ADB) without unlocking the bootloader. According to Ford, the feature has been turned off because it causes a bug that can negatively impact user experience.

Ford believes that turning on ADB isn't a vulnerability because the component is part of the Android operating system, but the researcher disagrees and argues that enabling USB debugging is a flaw if SGP Technologies explicitly disabled the ability to do so. Nevertheless, a patch for this issue will be made available soon, Ford said.

The second issue identified by the researchers is accurate but, according to Ford, it was already patched via an over-the-air (OTA) update on August 1, two days after it was discovered. Sawyer admitted that he conducted his tests on an older version of the firmware.

"I would like to thank [Sawyer] for not blowing the issue out of proportion and going back to the twittersphere for a little more transparency by explaining that direct user interaction is required and that we had already patched one of the vulnerabilities through the OTA update," Ford wrote in a blog post.

No details have been made available for the third bug uncovered by the researchers, but the CSO of SGP Technologies promised to release a fix for it shortly after they have all the information they need.

"We will get the details, and feel confident that we will have the system patched just as fast as last time. That is our commitment to the community – to close the threat window faster than any other OEM," he said.

During Def Con, SGP Technologies sold a limited number of Blackphones for $600 cash – a slight discount to the current online price of $629.00. The company started shipping handsets in late June.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.