Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security-Focused BlackPhone Was Vulnerable To Simple Text Message Bug

Posted by Soulskill on from the nobody's-perfect dept.

mask.of.sanity sends this report from El Reg: The maker of BlackPhone – a mobile marketed as offering unusually high levels of security – has patched a critical vulnerability that allows hackers to run malicious code on the handsets. Attackers need little more than a phone number to send a message that can compromise the devices via the Silent Text application.

The impact of the flaw is troubling because BlackPhone attracts what hackers see as high-value victims: those willing to invest AU$765 (£415, $630) in a phone that claims to put security above form and features may well have valuable calls and texts to hide from eavesdroppers.

46 comments

  1. Security is a process ... by gstoddart · · Score: 5, Insightful

    The problem with security is it is an on-going process, and it takes time. Which means the trust that you actually are secure also takes time.

    So, just because you started out thinking "Oh boy, are we going to be hella secure" -- it takes a long time to FIND all those things which defeat that, and just as long to convince everybody that you've done it.

    Almost as soon as I heard of this phone my first thought was "gee, you're brand new, why should be trust that you've got it sorted out".

    And, as TFS says ... this phone is used by people who want additional security. What the hell made you think you wouldn't be immediately targeted? This is like advertising you have an unbreakable vault ... now everybody wants to prove you wrong.

    I think they started trading on a reputation they hadn't earned yet, and now it's biting them in the ass.

    --
    Lost at C:>. Found at C.
    1. Re:Security is a process ... by TWX · · Score: 1

      The problem with security is it is an on-going process, and it takes time.

      The entire security model and mindset in IT and computing is severely flawed. Arguably if it weren't for dependency on computers and the ability to gussy-up terrible back-end code with pretty user interfaces, this situation would be completely untenable.

      --
      Do not look into laser with remaining eye.
    2. Re:Security is a process ... by BreakBad · · Score: 3, Interesting

      They should have called it 'GreyPhone', maybe one day, after many updates, 'DarkGreyPhone'. But lets face it...BlackPhone may just be unobtainable.

    3. Re:Security is a process ... by AchilleTalon · · Score: 2

      I'd say fifty shades of grey phone due to the sado-masochist practices that resulted from its introduction in the market.

      --
      Achille Talon
      Hop!
    4. Re:Security is a process ... by Anonymous Coward · · Score: 2, Informative

      It isn't IT, it is a mindset of a lot of companies that security, and IT in general are cost centers. There is a mantra that "security has no ROI".

      However, lets be real here, and I will do a bit of devil's advocate work here. Security doesn't have a ROI:

      1: Sony is back to normal. The PSN hack didn't affect their stock price overall, and the latest hack will be forgotten in 2-3 months.

      2: Security doesn't hurt businesses. If data gets leaked, whoopty-do. China does the ODM work anyway.

      3: SANs are immune to hacking, so it just takes a restore of a snap-shotted LUN to recover lost data. Even with the fact that companies don't use offline media, but use deduplication appliances like Avamars, there has not been a single recorded case in public of a blackhat hacking one and purging it. So, what damage an intruder can do is limited.

      4: The damage done in a breach is customer data. This doesn't cause a business any harm.

      So, with the points above, why should there be focus other than maybe a PR bulletin on anything security related?

    5. Re:Security is a process ... by mlts · · Score: 4, Insightful

      The problem is that a company that has security as part of their mindset is hard to find. Most at best have it as an afterthought, something strapped on at the last moment.

      Security takes R&D, just like everything else. Would I expect a v1.0 product to be secure, especially from focused attack by people who want to bypass it? No, and not even in a v1.0.10 product. Breaches will happen for the first few years.

      However, I will state one thing about BlackPhone: They fixed the issue. Other vendors would just tell their customers to buy a new smartphone or go pound sand. Where the rubber meets the road is how security flaws are handled. Are they acknowledged and patched, or are they covered up, flagged as FNR (fixed in next release), and only threats of litigation able to actually get the vendor to make a patch. There will -always- be flaws. However, part of a company selling security is how they respond to issues, and here, BlackPhone has performed quite well. There was a problem, they fixed it, and that is what matters.

    6. Re:Security is a process ... by Nerrd · · Score: 2

      "SANs are immune to hacking" Oh man. That is rich. Can I interest you in a very fine Bridge? only slightly used.

    7. Re:Security is a process ... by IamTheRealMike · · Score: 3

      There will -always- be flaws. However, part of a company selling security is how they respond to issues, and here, BlackPhone has performed quite well. There was a problem, they fixed it, and that is what matters.

      I agree that how a company handles incident response is important and the BlackPhone guys have apparently handled this well.

      However, there are several things that are troubling about this story which lead me to not trust BlackPhone and question the security experience of the people designing it.

      The first thing we notice about this exploit is that the library in question appears to be written in C, even though it's newly written code that is parsing complex data structures straight off the wire from people who might be attackers. What is this, 1976? These guys aren't programming smartcard chips without an OS, they're writing a text messaging app that runs on phones in which the OS is written in Java. Why the hell is the core of their secure messaging protocol written in C?

      The second thing we notice is that the bug occurs due to a type confusion attack whilst parsing JSON. JSON?! Yup, SCIMP messages apparently contain binary signatures which are base 64 encoded, wrapped in JSON, and then base64 encoded again. A more bizarre or error-prone format is difficult to imagine. They manage to combine the efficiency of double-base64 encoding binary data with the tightness and simplicity of a text based format inspired by a scripting language which has, for example, only one kind of number (floating point). They get the joy of handling many different kinds of whitespace, escaping bugs, etc. And to repeat, they are parsing this mess of unneeded complexity .... in C.

      Compare this to TextSecure, an app that does the same thing as the BlackPhone SMS app. TextSecure is written by Moxie Marlinspike, a man who Knows What He Is Doing(tm). TextSecure uses protocol buffers, a very simple and efficient binary format with a schema language and compiler. There is minimal scope for type confusion. Moreover, the entire app is written in Java, so there is no possibility of memory management errors whilst trying to read messages crafted by an attacker. By doing things this way they eliminate entire categories of bugs in one fell swoop.

      So yes, whilst the BlackPhone team should be commended for getting a patch out to their users, this whole incident just raises deep questions about their design decisions and development processes. The fact that such a bug could occur should have been mind-blowingly obvious from the moment they wrote their first line of code.

    8. Re:Security is a process ... by Anonymous Coward · · Score: 0

      The ironic thing is that I use TextSecure because of the fact that the source is available. Moxie knows his stuff, which is something I almost never say.

    9. Re:Security is a process ... by Anonymous Coward · · Score: 0

      The problem is that a company that has security as part of their mindset is hard to find. Most at best have it as an afterthought, something strapped on at the last moment.

      Security takes R&D, just like everything else. Would I expect a v1.0 product to be secure, especially from focused attack by people who want to bypass it? No, and not even in a v1.0.10 product. Breaches will happen for the first few years.

      However, I will state one thing about BlackPhone: They fixed the issue. Other vendors would just tell their customers to buy a new smartphone or go pound sand. Where the rubber meets the road is how security flaws are handled. Are they acknowledged and patched, or are they covered up, flagged as FNR (fixed in next release), and only threats of litigation able to actually get the vendor to make a patch. There will -always- be flaws. However, part of a company selling security is how they respond to issues, and here, BlackPhone has performed quite well. There was a problem, they fixed it, and that is what matters.

      Except that it's only a matter of time before it's "Sorry, you bought your BlackPhone Universe S3 18 months ago, we're not coming out with updates to that anymore, so you're stuck with BlackOS 2.3 that isn't being patched. But we'll offer you a deal for only $600 to upgrade to the new BlackPhone Universe S5 that'll get updates for the next 18 months before we drop supporting it too."

  2. pretty much expected. by nimbius · · Score: 4, Interesting

    Blackphone arguably isnt interested in real security at all, just theatre. Their phone is Android, but their entire range of security applications (the part that keeps you safe) is proprietary, closed source, and subscription based. Blackphone exists for the paranoid executive banging the mistress, the paranoid trophy wife banging the pool boy, and the paranoid celebrity with a panic room.
    Check out https://prism-break.org/ for real security. The open source community has worked hard for decades to help keep you safe and secure. Sometimes we dont have the sexiest branding, but for that tradeoff you get more than a promise. you get the source.

    --
    Good people go to bed earlier.
    1. Re:pretty much expected. by cockroach2 · · Score: 1

      Indeed, I've been wondering why anyone would think that this particular vendor of a proprietary Android-based phone is any better than the others. Because they say so?

    2. Re:pretty much expected. by sasparillascott · · Score: 4, Informative

      Um, because one of the guys at the top of that company is Phil Zimmerman who created PGP? And they moved the company to Switzerland to avoid the entangling fingers of the U.S. government surveillance state.

      As to fixing bugs, that will always be an ongoing process. I'd like it better if they were open source, but I'd trust them better than most companies. JMHO...

    3. Re:pretty much expected. by jellomizer · · Score: 4, Insightful

      IT security is about tradeoffs.
      The idea of 100% security while possible, it impractical.
      Your argument about Blackphone is the fact they are not supportive of the OSS mind set, So you judging the quality of the technology based on what type of license it has.

      Ok a flaw was found, and they put in a fix for it, what else do you expect from them?

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    4. Re:pretty much expected. by TWX · · Score: 2

      ie, "I want to go live somewhere beautiful and I'm rich, how's Switzerland this time of year?"

      --
      Do not look into laser with remaining eye.
    5. Re:pretty much expected. by cockroach2 · · Score: 1

      Okay, Phil Zimmerman counts as a valid argument.

    6. Re:pretty much expected. by cockroach2 · · Score: 1

      ie, "I want to go live somewhere beautiful and I'm rich, how's Switzerland this time of year?"

      Turning into a bad place for those who like privacy.

    7. Re:pretty much expected. by buchner.johannes · · Score: 2

      IT security is about tradeoffs.

      Not true, you can have worse security without gaining anything. So you can also increase security without loosing any comfort. You are setting up a false premise that more security always requires a sacrifice. What we really need instead is a measure of achieved security, to rid ourselves of unnecessary, security-theatre-based sacrifices both in terms of privacy and money.

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    8. Re:pretty much expected. by mlts · · Score: 2

      This is one reason why I have hedged on buying one. How are they better from CyanogenMod, and for tools, open-source items, be it apg, K-9, EncFS (so files can be secured on both SD cards and cloud providers), RedPhone, TextSecure, and other apps that have their source available if one wants to manually look it it.

      I respect PRZ incredibly, but one of the reasons why I continue to use PGP even though he states that it is obsolete is that PGP (and GnuPG) are open source... and they are platform and transport mechanism independent. I can send an OpenPGP ASCII armored packet via E-mail, texting, XMPP, Facebook, or any other messaging protocol. I do respect PRZ by founding a security company in an era where most "security" is PR, but I prefer to pack my own parachute and use the tried and true.

    9. Re:pretty much expected. by Archangel+Michael · · Score: 2

      More security requires more diligence, which is often inconvenient. More security requires everyone to be secure, not just some, and that is definitely inconvenient, and requires trust that others are not putting you in danger (insecure), which requires compliance checks and verification, which is inconvenient. Technology can take the edge off the inconvenience, but isn't the panacea that everyone wants it to be.

      The weakest link in security is people. Always has been, always will be.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    10. Re:pretty much expected. by Anonymous Coward · · Score: 0

      awesome link, thanks

    11. Re:pretty much expected. by Anonymous Coward · · Score: 0

      Switzerland is expensive this time of year, being that it is a date that falls in the year.

  3. Most secure phone there is? by fustakrakich · · Score: 1

    30 Dollar Nokia

    --
    “He’s not deformed, he’s just drunk!”
    1. Re:Most secure phone there is? by Anonymous Coward · · Score: 0

      probably corrrect. I have an old moto F3 that falls in that same category.

      I'm not sure why people assume that Blackphone is not a front (or otherwise compromised). I read a book a number of years ago, title eludes me, where the whole premise was getting the middle eastern types to buy into this superduper secure phone that was of course backdoored and planned out by the NSA/CIA.

    2. Re:Most secure phone there is? by TWX · · Score: 1

      You know, take away the smart features of a phone and there's suddenly a whole lot of nothing for someone to steal from it, at least compared to before.

      --
      Do not look into laser with remaining eye.
    3. Re:Most secure phone there is? by sasparillascott · · Score: 2

      I doubt the creator of PGP would be in on that conspiracy - since he's at the top of the company. I would expect that if the NSA didn't like that company (and they don't), they would do whatever they could to sabotage their commercial success, particularly via word of mouth.

      As for mobile phones, you really need to go back far enough before location information was integrated into them (long before smartphones).

  4. Phone mode also at risk... by The+New+Guy+2.0 · · Score: 4, Insightful

    It seems that the phone app on this device is susceptible to "Bank Impersonation" calls where the caller pretends to be from a bank when actually is a scam artist.

    1. Re:Phone mode also at risk... by thegarbz · · Score: 1

      For an additional $2000 I'm offering a service to identify if the phone user is also stupid and likely to fall for such simple marketing ploys. For your added benefit I don't even require any personal details, just deposit the money and call us and we can give you the results of our findings on the spot.

  5. 630 US$ ? by Anonymous Coward · · Score: 0

    630 US$ ? Isn't that about the same price as an iPhone 5s, and less than the price of the iPhone 6/6+ ?

    1. Re:630 US$ ? by Minwee · · Score: 2

      630 US$ ? Isn't that about the same price as an iPhone 5s, and less than the price of the iPhone 6/6+ ?

      You must be confused. iPhones are free. It says so right on the top of this contract I just signed. Sure, I have to pay more than $2000 over the next two years but the phone is free! It says so right here!

      Would the phone company lie to me?

  6. But, But by BoRegardless · · Score: 2

    BlackPhone is TOTALLY 100% SECURE, when it is turned off

    1. Re:But, But by ArhcAngel · · Score: 3, Informative

      You meant that as a joke but when Microsoft first attained government security (C2 IIRC) certification for Windows NT there was a little asterisk by the cert. For the OS to be considered C2 compliant it must not be connected to a network in any way.

      --
      "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
  7. Nothing is unhackable by Anonymous Coward · · Score: 2, Informative

    nowhere do they claim they are unhackable. It's just better than the alternatives. And at a consumer price at that.

    It's more secure than blackberry, no back doors, and comparable to $2k+ solutions. It also runs android apps.

    So yes, it's a trade off. If you want the ultimately secure phone, you're going to end up talking only to yourself.

    1. Re:Nothing is unhackable by mlts · · Score: 3, Interesting

      It does have its appeal. For the average user who isn't that technical, and who doesn't know/care how to use PGP or gnuPG, this phone is a step up. At least a user who bought this will get better fixes with regards to security issues than with a lot of smartphones.

      My biggest complaint is that it is a closed ecosystem. It would be nice if other devices that are not BlackPhones can run the apps so there can be a wider customer base. Otherwise, the device's acceptance will be hindered because everyone has to have that specific maker's phone. Plus, for every closed application, there is an open alternative.

      Maybe the ideal would be to get PGP working independently and transparently with text messaging [1], mail, voice, video, and other items. That way, the metadata can be protected via one layer, but the actual contents are protected no matter what, even if the protocol is completely broken wide open.

      [1]: An ideal would be something where sender's device would check if the receiver had the ability to receive (likely having the app poll a server every so often), and if so, send it over the Internet (mainly so it can be acknowledged it was received). If not, send it via SMS/MMS. Unlike iMessage, it would fall back and not assume that a specific app was installed and running.

    2. Re:Nothing is unhackable by chihowa · · Score: 1

      There are several implementations of OpenPGP on Android and IOS. These guys have one that's coming along nicely and has OK email and XMPP integration (because they actually wrote a decent API for (de)crypting).

      Of course, your keys are only as secure as your phone... which isn't very. Google, the carrier (for stock, branded phones), and who knows else can remotely swipe the key from your device. There is rudimentary support for secure elements like YubiKey, though.

      --
      If you want a vision of the future, imagine a youtube comments section scrolling - forever.
  8. C? by AqD · · Score: 1, Offtopic

    Why are they still using C to deal with network protocol? Is the performance so critical that it's worth all the troubles?

    Any high school student could have written this library in Java or something higher-level, running on JVM with all the strict rules and redundant checks everywhere, and without any need of special care for nasty security issues like that (unless VM itself is faulty, but it wouldn't concern app makers).

    It might end up 10x slower and consume 10x more memory - but who cares? you have 4GB RAM on phones now, and 4 cores x 2GHz CPUs!

    1. Re:C? by Anonymous Coward · · Score: 1

      You are what's wrong with technology today. Fuck you, and fuck java.

  9. Not "troubling", the word should be "sobering." by Kazoo+the+Clown · · Score: 2

    Bugs happen. Vulnerabilities may exist. Get used to it. You have to start somewhere. The important thing is to reject the incessant creeping featurism that is the source of most bugs and vulnerabilities.

  10. $630 whole dollars by Anonymous Coward · · Score: 0

    I'm not rich by a long stretch, but $630 as a significant investment for a high value target? Come on now. That's such a trivial amount of money for anybody law-abiding that would be considered high value. Probably even more trivial if you don't let pesky laws get in the way of your business.

    1. Re: $630 whole dollars by Anonymous Coward · · Score: 0

      My Z3 cost that and has better hardware. Problem with the bphone is that he thinks he can persuade people to fork over rx fees for aps which redphone and textsecure do for free. My Z3 has a built-in ans system and most importantly full encryption options as well.
      In other words he provides nothing but the chance to put money in his pocket.
      Lastly, the real problem isn't securing your phone activities, but getting EVERYONE else to do the same. P Zimmerman discourages this. Fuck that asshole.

  11. dem haxx0rz by Anonymous Coward · · Score: 0

    dey be txtin u nao

  12. For starters, because it's transparent. by Ungrounded+Lightning · · Score: 1

    Why are they still using C to deal with network protocol?

    For starters, because it's transparent. The "K&R compliant assembly laguage", as one of my former colleagues once characterized it, translates to object in a clearly understandable way (especially if you turn optimization down or off). Though it gives you more opportunities to create bugs, it makes it hard for the bugs to hide from inspection.

    The "higher-level" the language, the more it takes over and inserts its own stuff between you and the metal, and the more opportunity for that to inject an invisible vulnerability - which you might have trouble removing even if you DO discover it.

    Meanwhile, many of the things "higher-level" languages protect you from can also be detected and flagged by both modern C compilers and code examination tools - starting with the venerable "lint".

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  13. Also: lots of code has been vetted for decades by Ungrounded+Lightning · · Score: 1

    Why are they still using C to deal with network protocol? Is the performance so critical that it's worth all the troubles?

    Also, because there's a lot of C code that has been in heavy use, and tested for correctness, for decades, suitable for reuse with substantial confidence that it's correct (though you check it anyhow...).

    Let's see you find code like THAT for a language that hasn't been AROUND for decades. B-)

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  14. Repeat after me. by Anonymous Coward · · Score: 0

    Android can never be secure.

    it's like WIN NT4. There's an appearance of security.