Hacker Roots Silent Circle’s Blackphone At DefCon

Max Smolaks,

SIlent Circle doubts whether the hack could take place in the wild, but still thanks ‘Justin Case’ for his contribution to the security of the platform

A hacker has apparently defeated the security features of the Blackphone, a privacy-focused smartphone from Silent Circle.

An account belonging to ‘Justin Case’ tweeted from the DefCon security conference about discovering a set of vulnerabilities in five minutes, which helped him enable the Android Debug Bridge (ADB) and get root access to the device without unlocking the Android bootloader.

At first, Silent Circle contested the findings of the hacker, as it turned out that the version of Android on the device wasn’t completely patched and the exploit required physical access. Later it thanked ‘Justin’ for improving the security of the Blackphone and promised a fix as soon as more information becomes available.

Being responsible

Blackphone booth MWCSilent Circle was established in 2012 by a team of cryptography experts which included the author of PGP encryption Phil Zimmerman and the creator of Apple’s whole disk encryption Jon Callas.

The company gained a lot of attention after it announced the Blackphone, a handset that promised to provide unparalleled levels of security, designed in partnership with Spanish manufacturer Geeksphone.

The Blackphone runs PrivatOS, a modified version of Android that includes a full suite of Silent Circle applications, and began shipping to customers in June.

After picking up a unit at DefCon, ‘Justin’ (@TeamAndIRC) discovered not one, but three different issues in PrivatOS, however it is worth noting that these didn’t compromise the security of the Silent Circle apps.

Silent Circle later explained that the first was a conscious design decision that didn’t threaten the system, while the second was already patched. The third vulnerability hasn’t been disclosed yet, since it allegedly concerns a number of phone manufacturers, not just Silent Circle.

“@TeamAndIRC and I had a chat here at Def Con. I would like to thank him for not blowing the issue out of proportion and going back to the twittersphere for a little more transparency by explaining that direct user interaction is required and that we had already patched one of the vulnerabilities through the OTA update,” wrote Dan Ford, CSO at Silent Circle.

“We are under the impression that this [final] vulnerability affects many OEMs and not just Blackphone. When the vulnerability becomes public, we will implement the fix faster than any other OEM,” added Ford in the second post.

Over the past month, Blackberry has engaged Silent Circle in a mud-slinging match over which company’s smartphone platform was more secure. A few BlackBerry fans joined this particular debate, annoying ‘Justin’ so much that he snapped on Twitter:

 

His latest posts suggest the hacker is now completely occupied with breaking the security of the BlackBerry 10 operating system.

Meanwhile, the legendary John McAfee used his time at DefCon to launch the BrownList – a complaints website that doesn’t deal with cyber security in any way.

What do you know about famous hackers? Take our quiz!