Silent Circle's Blackphone Exploited at Def Con

Def Con shows no mercy. As gleefully reported by sites several Blackberry-centric sites, researcher Justin Case yesterday demonstrated that he could root the much-heralded Blackphone in less than five minutes. From n4bb.com's linked report: "However, one of the vulnerabilities has already been patched and the other only exploitable with direct user consent. Nevertheless, this only further proves you cannot add layers of security on top of an underlying platform with security vulnerabilities." Case reacts via Twitter to the crowing: "Hey BlackBerry idiots, stop miss quoting me on your blogs. Your phone is only "secure" because it has few users and little value as a target."

(Timmyboy) Thanks 4 da (article)

And (thanks) for all (ur) wee-todd-did (parAnthetical) insertions which have no reason (or merit!)

Re:(Timmyboy) Thanks 4 da (article)

They really need to fire timothy. Really good that kdawson left, but we NEED timothy to leave. Bring back Taco and Neal and FIRE timothy I say.
 
captcha: concern

Re:(Timmyboy) Thanks 4 da (article)

Mod parent up

Re:(Timmyboy) Thanks 4 da (article)

[Dishevel]

Maybe we can get DARPA to decide to kill him instead of innocent passwords.

What underlying platform?

Just Blackberry's, or all telecommunications platforms?

Re:What underlying platform?

[AchilleTalon]

Blackphone is not a BlackBerry phone, it is a competitor. That's why BB fans quoted Justin Case as if he did prove BB is superior to Blackphone, which isn't what he proved. BlackBerry's CEO claimed the Blackphone was only consumer-grade privacy, not business grade privacy, implying BB products are superior in terms of security. Which Justin Case doesn't agree claiming they appear safer only because they are a low interest traget to hackers.

To summarise, it is not about underlying BB platform at all, rather than about the Blackphone underlying platform.

Re:What underlying platform?

[demachina]

Not clear if Case is claiming Blackberry's were never of interest to hackers or are just of no interest lately.

Blackberrys were until recent years very high value targets, they were the phone of choice on Wall Street, for politicians and reporters.

It wasn't that long ago repressive regimes like Saudi Arabia were telling Blackberry to back door their phones/servers or get locked out of their market which tends to suggest they must have been pretty good at something.

There is probably something to be said for phones without a third party app market if security is job one. Android in particular is a pretty juicy target for malware.

Still Secret Source?

[bill_mcgonigle]

Blackphone is the "you can't look at it, but trust us" self-proclaimed "security" company, right? And it's easily exploitable?

Dog-bites-man story.

Re:Still Secret Source?

[chihowa]

It's one reason why I can't rally behind Phil Zimmerman, as much as I like PGP and appreciate much of what he's done. His insistence on keeping security software secretive and closed source, while seeming to understand the concept of trust, is baffling.

Re: Still Secret Source?

Indeed. If you are going to write software that can secure something it should be solid enough that be able to view the code doesn't allow someone to just punch holes right through said security. Security through obscurity is something even Microsoft has learned doesn't work so why is this champion of secure computing trying to push it

Re:Still Secret Source?

[bug1]

+1

Re:Still Secret Source?

[hsmith]

AFAIK all of blackphones source is in the public.

miss quoting

[Frankie70]

Hey BlackBerry idiots, stop miss quoting me on your blogs.

Misquoting Justin, misquoting. Not miss quoting.

Re:miss quoting

That's what she said. (Do you see what I did there?)

Re:miss quoting

You're reading it wrong. It's Miss Quoting as in Miss Congeniality. She likes to quote things.

Re:miss quoting

Justin Case? That's why I still keep my Blackberry around. I'm not Miss Quoting.

Re:miss quoting

I think you will find it is Mrs Quoting thank you very much!
How rude!

Sure about that?

"this only further proves you cannot add layers of security on top of an underlying platform with security vulnerabilities."

Ok, so explain the TSA...

Why the story is so Blackberry focused?

[gmuslera]

How it affects Blackberry that an Android-based OS focused on security and privacy have some vulnerabilities? Is not BB10 OS based, even having an emulation layer that enables it to run Android programs. They could as well talk about iOS or Windows Phone users too. Even Tizen (that at least run Linux as Android) would be more related to this than Blackberry.

Re:Why the story is so Blackberry focused?

Because of this: http://www.theguardian.com/technology/2014/jul/16/blackphone-blackberry-smartphone-security-row

Re:Why the story is so Blackberry focused?

The summary clearly explains the connection with relevent links. Do you have the attention span of a gnat?

Direct user consent?

[JaredOfEuropa]

I read somewhere else that the remaining vulnerability involved "plugging the phone into a PC". A modified charger might exploit the vulnerability equally well, and it already sounds a lot worse than requiring my direct consent.

For some people (upper management, dissidents and the like), secure communication is not sufficient, they also need the phone to remain secure if it is lost or stolen. If having posession of the phone is the only thing that stands in the way of rooting it using this exploit, it is a serious flaw indeed.

Re:Direct user consent?

[ledow]

Physical access to any electronic device is basically an avenue for compromise. You really can't avoid it - at that point, it's no longer a question of "is the device secure?" as "is is STILL secure"... the only factors are how long it's out of your possession and how many obstacles are in the way of compromising it.

Same as anything with computers - physical access to the machine means it's game over. This applies for everything from games consoles to dvd players to phones to DRM schemes to "secure boot".

Physical access is game over. If you're lucky, you've used perfect forward secrecy and implemented it perfectly and know the device is missing and immediately blacklist it from your systems. Anything else (like real-life) is a security hole.

Re:Direct user consent?

[JaredOfEuropa]

The only factors are how long it's out of your possession and how many obstacles are in the way of compromising it.

Exactly. So in order to secure your phone, you want to throw as many obstacles in the path of the thief as possible.
PIN lock? Good.
PIN lock w/ 3 attempts and automatic wipe after? Better.
Automatic wipe if the phone has not been unlocked in a certain period of time? Even better.
Allowing unlock after a certain amount of time only if the phone can contact a certain server (so it can receive and a remote wipe command if one was issued)? Better still.
Data-at-rest is encrypted? It better be.

To get past security measures like these, you need a fair amount of skill and sophisticated tools. Casual thieves, law enforcement and probably many intelligence agencies will have a pretty hard time getting at this data. The NSA, who knows. But if there's a root exploit that only relies on the ability to hook up your phone to a PC, all of the above is pointless, and any punk off the street will be able to get at your stuff.

Re:Direct user consent?

[GuB-42]

You have to balance things somehow. I'm not sure many people will want their phone to be wiped just because someone looks at it funny.
If you make it easy to inadvertantly wipe data, you also need to have easy to access backups and these can be a security issue in their own right.

Re:Direct user consent?

[Dishevel]

Yes. But what you do not want is to have physical access to the device means "Game over" in 5 minutes or less.

Re:Direct user consent?

[Dishevel]

I would be fine with that. As long as there is a central server I can get my data back from.

Shit have my phone back up every day at 11:30 PM, Wipe at 2 AM. Restore at 5 AM.

Fine by me.

Re:Direct user consent?

[GuB-42]

Yes, auto-backup-restore from a central server is the obvious solution.
However you have to do it properly, or else, it will become the weak point. You have to be careful of packet sniffing and man-in-the-middle attacks. Your server can be attacked too. And the more convinient you make your backups, the less secure they tend to be.

I think that the best compromise to turn on full disk encryption and that in case of anomaly (such as too many failed unlocks) the phone shuts down. Properly encrypted data are almost as good as a full (secure) wipe and better than an unsecure wipe.

"Little value as target"

Yeah sure. I'm sure BB has very little value as a target, not when some of the most high profile people in the world uses it that has wealth and power greater than every other person in the world with any other phone combined.

Makes me wonder where he's been living under all these time.

Re:"Little value as target"

[93+Escort+Wagon]

It was a Twitter post - so I imagine he spent roughly one second thinking about it before typing that.

But I realize it's hard to not overreact or take stuff like that personally when there are only a half-dozen of you Blackberry users left in the world.

Re:"Little value as target"

[AchilleTalon]

What's the point about the market share? A company can be healthy and profitable without being the market leader, suffice to have a niche market share composed of wealthy customers ready to pay premium for products designed for their needs. Note, I am not saying BB is that, what I am saying is refraining about the market share size of a company is a false argument without the context.

In fact, BB's error was probably just that, go after the whole market and introduce multiple products, including low-end products to gain market share rather than focusing on the original customer base and improve the products for this customer base.

Re:"Little value as target"

[Luckyo]

He's living in a world where he's marketing his services to companies that sell to those masses. Not those few.

Professionals who handle security for those few don't advertise their work like this.

Cell phones are insecure.

[Kenja]

It's inherent in how they work. Rather then trying to secure them, which I don't think can be done, just start assuming they are insecure and treat them as such. Don't hold a private, personal conversation in a crowded public room and don't send text messages you don't want other people to see.

Re:Cell phones are insecure.

[ledow]

I think that's pessimistic. That might be how they work NOW but there's no reason that an end-to-end secure cellphone network cannot exist.

Security of the conversation is basically guaranteed using TLS etc. Provide a certificate to your contacts, instead of a phone number. That certificate can encrypt communications to yourself so only you can decrypt them.

The biggest problem is routing, but that's something that can be layered over using the data network facilities and software like Tor.

The problems all along are really metadata related. If your contact is caught, gives up the phone and all his access details, you can be linked to have communicated with him (but with perfect-forward-secrecy, hopefully the contents of those communique will remain secret). Correlation attacks, etc. also exist and would be your biggest attack.

And, at some point, someone is providing the service you use and you're paying them somehow. Total anonymisation is possible, but difficult.

But if your definition of security is "no-one can know what I said to Fred on the phone when I know Fred and I are both in secure (un-eavesdrop-able) locations" then - yes - that can be done. Now. Today. Using existing technologies. I'd be amazed if there were thousands of people doing just that, especially given the sheer existence of things like PGP etc. many decades ago.

Absolute security is possible. And most realisitic definitions of security are more possible. It's really the trade-off between practicality, side-channel attacks (just following you and hearing what you said), and how much technology you want to use.

Re:Cell phones are insecure.

[Miamicanes]

no reason that an end-to-end secure cellphone network cannot exist.

The problem is, you will never, EVER control every single bit & atom along the signal path between your vocal cords and the recipient's ear. Without PKI, you're vulnerable to MITM. With PKI, you're vulnerable to compromise of the PKI infrastructure itself. Or compromise to the layer that enforces PKI's use. The best you can ever really hope for is to eliminate enough failure points to at least NOTICE the possibility that your communication might be getting intercepted or compromised.

Is absolute security between two people possible? Maybe... IF

* they know in advance that they're going to communicate with each other

* they have a way to securely exchange devices in a way that's not vulnerable to tampering during shipment or after receipt.

* they can implicitly trust everyone who had a role in the software running on the device

* they'd rather be left unable to communicate than communicate with the slightest risk of unauthorized disclosure.

The last one is the biggie. 99.999% of all security exploits exist because someone figured out how to use the emergency backdoor left in the code to deal with unforeseen future emergencies that might otherwise brick millions of dollars worth of hardware. Think of a building... you can armor-plate the windows, and weld all the doors shut except for one that's protected by an army of soldiers... then have 95% of the building's occupants die in a fire because they couldn't get out due to all the escape routes being closed off. OR... you can design escape routes to maximize survivability, then have someone gain access to the building by triggering a false alarm & sneaking in through the escape routes while everyone else is trying to get out. The more you harden something to eliminate vulnerabilities, the more vulnerable you leave yourself to future device and data loss.

OpenBSD phone

I wonder why there hasn't been a phone based on OpenBSD.

Re:OpenBSD phone

[tepples]

It depends on how many ARM SoC vendors make OpenBSD a priority.

Bix Nood

Nope, just the ones that can store all your muhfugen pix nood.

new advertising paradigm... we suck, you're safe

[swschrad]

they've tried everything else, why not that?

Lemons and Lenomaid.

[fahrbot-bot]

Nevertheless, this only further proves you cannot add layers of security on top of an underlying platform with security vulnerabilities.

Okay. And when will an underlying platform without security vulnerabilities be ready - phone or otherwise?

So what?

Rooting a phone doesn't make it insecure. It only matters if an attacker without physical access can get in.

Interesting!

[vomitology]

Company says something is 'secure', gets proven wrong. This is *exciting stuff*, people!

Silent Circle response part 1

[mrkoot]

Silent Circle's response part 1:

Blackphone rooted at DefconâS -- Part 1

Greetings from Def Con! Thus far Team Blackphone has been having a very positive Con. We have been receiving a lot of positive feedback and praise for taking on the flag of building and maintaining a secure and private smartphone system. This was a challenge that we knew full well would not be easy, but if it were easy then anyone could do it.

The researcher @TeamAndIRC was a little miffed at our initial response to his inquiry and I understand his point. In response, he had a t-shirt made that stated he rooted the Blackphone at Def Con. The ironic part to this is I would have absolutely gone over and made that t-shirt for him myself once the full vulnerability was explained. @TeamAndIRC and I had a chat here at Def Con. I would like to thank him for not blowing the issue out of proportion and going back to the twittersphere for a little more transparency by explaining that direct user interaction is required and that we had already patched one of the vulnerabilities through the OTA update.

According to @TeamAndIRC there were three issues discovered. The first one is that he was able to get ADB turned on. Turning ADB on is not a vulnerability as this is part of the Android operating system. We turned ADB off because it causes a software bug and potentially impacts the user experience, a patch is forthcoming. His second discovery is accurate and here is the point I want to stress to the community. We found this vulnerability on July 30, had the patch in QA on July 31, and the OTA update released on August 1. That is pretty fast, no?

When @TeamAndIRC details the third vulnerability today at Def Con around 2pm PST we will be on the floor. We will get the details, and feel confident that we will have the system patched just as fast as last time. That is our commitment to the community â" to close the threat window faster than any other OEM. So, for now stay tuned as we will have an update later today.

Sincerely,

Dan Ford, D.Sc. (@netsecrex)
Chief Security Officer
SGP Technologies

So what?

lol, you don't actually believe this do you?
Security only matter with respect to remote attacks?
Do you work for Blackphone?

So they can root that... but not...

[Karmashock]

the Moto X from Verizon version 4.4.2?

there are a lot of locked bootloaders out there that so far don't seem to be breached.