Exploiting Silent Circle’s Secure Blackphone

The highly secure device could have been exploited, were it not for the responsible disclosure by a security researcher

Any modern device is made up of multiple hardware and software components, any one of which could represent a potential risk. That’s a reality that secure mobile phone vendor Silent Circle has learned with its Blackphone, thanks to the responsible security disclosure from Tim Strazzere, director of mobile research at SentinelOne.

Strazzere found that there was a misconfigured driver for an Nvidia Icera modem that could have potentially enabled an attacker to exploit the Blackphone and its users. Silent Circle has already patched the issue, and there are no reports of any user being exploited by the vulnerability. The issue also only impacted the first generation of the Blackphone, which has been superseded by the Blackphone 2, which does not use the same modem.

The discovery of the Blackphone vulnerability happened somewhat by accident. Strazzere explained that he is part of a group of security professionals known as Red Naga that provides training sessions at the DefCon security conference.

“We wanted to do a training session on reverse engineering an Android device,” Strazzere told eWEEK. “In the step of figuring out how to find vulnerabilities, we found a bunch in many devices. One of the devices before we taught the class was the Blackphone.”

Targeted

blackphone-silent-phone-dual-600x711Red Naga has publicly posted its training materials on GitHub, including the steps the group used to find mobile device vulnerabilities. At a high level, the approach is all about looking for items that appear to be misconfigured in some way. Using that approach, Strazzere found an open socket on the Blackphone and began to investigate if that opening could be used to tell the device to do something it shouldn’t be able to do. The open socket was not an open network port that would have been easily viewable by a remote attacker.

“It’s a local Unix socket that would enable a local application to talk to it,” Strazzere said. “Sockets are how different programs on a device can communicate with other.”

As such, the flaw that Strazzere found on the Blackphone could not be directly remotely exploitable by an attacker on its own. That said, there are several potentially viable attack vectors where the flaw could have been exploited. One attack vector would be to embed the exploit into a malicious application. The application wouldn’t ask for any extraordinary privileges, though it would enable an attacker to send and read SMS messages and to potentially control the phone.

From a root cause perspective, Strazzere explained that the vulnerability is due to a misconfiguration in the Nvidia Icera modem driver that is used on the Blackphone.

“No one should be able to directly talk to the driver, but the ability to do so was likely left in there by accident,” Strazzere said. “It was probably in there for debugging purposes, but no one caught it before it went into a production device.”

Strazzere first reported the issue to Silent Circle at the end of August. Silent Circle uses the Bugcrowd bug reporting platform, which is where Strazzere was able to keep track of the bug and patching process. Bugcrowd provides a managed platform that runs bug bounty programs for companies. For his efforts finding the Blackphone flaw, Strazzere was awarded a $500 bug bounty.

“I had never used Bugcrowd before,” Strazzere said. “It can sometimes be really hard to track a bug and see if a company is fixing a bug, but this was a really painless process and I wish more companies worked through Bugcrowd.”

Can you look after your personal data online? Take our quiz!

Originally published on eWeek.