28 January 2015
A security vulnerability found in the Blackphone security suite allowed a cyberattacker to access and decrypt messages, steal contacts and control the mobile device remotely.
Blackphone is touted as a consumer-grade smartphone developed in light of post-Snowden privacy concerns. The device, equipped with a custom Android operating system, features remote wiping tools and an app suite which utilizes encryption technology for making calls, sending texts and sharing files.
The gadget and partner app suite may be more secure than your average Android device, but no device is 100 percent secure — as security researcher Mark Dowd has demonstrated.
As reported by Ars Technica, Dowd, part of Australia-based Azimuth Security, has written a lengthy blog on how cyberattackers were able to use a Silent Circle ID or phone number to remotely exploit a security bug.
The security flaw was present in Blackphone’s secure text messaging application, SilentText, which is bundled with the phone and is also available for free on Google Play. Dowd says the app contained a “serious memory corruption vulnerability” which if exploited successfully could be used to remotely execute code and gain privileges on the messaging app. Specifically, the bug allowed a remote attacker to decrypt messages, take control of SilentCirce accounts, gather location information, read and steal contact lists, write to external storage and run additional code — such as privilege escalation, which could lead to taking complete control of the device.
The SilentText messaging app allows a user to send text messages and share files over an encrypted channel. Managed by Silent Circle’s Instant Message Protocol (SCIMP), the channel is tunneled over Silent Circle’s XMPP servers. SCIMP provides end-to-end encryption, but due to a type confusion vulnerability contained within the SCIMP implementation, data types were mistaken for each other.
A component dubbed libscimp caused this confusion. The component’s flaw allowed pointers to be corrupted in order to gain arbitrary code execution. As a result, an attacker was able to take advantage of this confusion and overwrite a pointer in memory, which when successfully exploited, could result in a gadget being hijacked or personal data loss.
Luckily for Blackphone users, Dowd privately reported the security vulnerability to Silent Circle and the issue has been resolved. However, it does remind us that no matter how stringent levels of security on a device are touted to be, no gadget is completely secure.
Source – http://www.zdnet.com/article/security-vulnerability-in-blackphone-service-exposed/