BlackPhone, a mobile phone aimed at users who want to keep their communications secure from mass surveillance attempts, is affected by a critical security vulnerability that can be exploited to reveal users’ contacts, the content of their (encrypted) messages, and their location information, as well as to load additional code that can lead to the attacker having complete control over the handset.
The good news is that the hole has been plugged.
The flaw was discovered by Australian security researcher and co-founder of security consultancy Azimuth Security Mark Dowd, who responsibly disclosed it to the device creators and Silent Circle, the developers of the SilentText app that is actually the application that introduced it into the device.
In order to exploit the flaw, the attacker needs only to know the target’s Silent Circle ID or phone number, and can be triggered by a specially designed message.
“The SilentText application bundled with Blackphone (and also made available as a standalone app for Android and iPhone) provides the ability for users to send text messages and share files over an encrypted channel. This encrypted channel is established and managed using the ‘Silent Circle Instant Message Protocol’ (SCIMP), which is tunneled over Silent Circle’s XMPP servers. SCIMP provides end-to-end encryption, so that data exchanged in a given conversation cannot be decrypted by an eavesdropping third party (including Silent Circle),” Dowd explained.
“The SCIMP implementation supplied with SilentText contains a type confusion vulnerability, that allows an attacker to directly overwrite a pointer in memory (either partially or in full), which when successfully exploited can be used to gain remote, unauthenticated access to the vulnerable device.”
For more technical details about the flaw, check out the researcher’s blog post, which was published on Tuesday, after both Silent Circle and Blackphone pushed out the patch.