Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security-Focused BlackPhone Was Vulnerable To Simple Text Message Bug

Posted by Soulskill on from the nobody's-perfect dept.

mask.of.sanity sends this report from El Reg: The maker of BlackPhone – a mobile marketed as offering unusually high levels of security – has patched a critical vulnerability that allows hackers to run malicious code on the handsets. Attackers need little more than a phone number to send a message that can compromise the devices via the Silent Text application.

The impact of the flaw is troubling because BlackPhone attracts what hackers see as high-value victims: those willing to invest AU$765 (£415, $630) in a phone that claims to put security above form and features may well have valuable calls and texts to hide from eavesdroppers.

4 of 46 comments (clear)

  1. Re:pretty much expected. by sasparillascott · · Score: 4, Informative

    Um, because one of the guys at the top of that company is Phil Zimmerman who created PGP? And they moved the company to Switzerland to avoid the entangling fingers of the U.S. government surveillance state.

    As to fixing bugs, that will always be an ongoing process. I'd like it better if they were open source, but I'd trust them better than most companies. JMHO...

  2. Nothing is unhackable by Anonymous Coward · · Score: 2, Informative

    nowhere do they claim they are unhackable. It's just better than the alternatives. And at a consumer price at that.

    It's more secure than blackberry, no back doors, and comparable to $2k+ solutions. It also runs android apps.

    So yes, it's a trade off. If you want the ultimately secure phone, you're going to end up talking only to yourself.

  3. Re:But, But by ArhcAngel · · Score: 3, Informative

    You meant that as a joke but when Microsoft first attained government security (C2 IIRC) certification for Windows NT there was a little asterisk by the cert. For the OS to be considered C2 compliant it must not be connected to a network in any way.

    --
    "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
  4. Re:Security is a process ... by Anonymous Coward · · Score: 2, Informative

    It isn't IT, it is a mindset of a lot of companies that security, and IT in general are cost centers. There is a mantra that "security has no ROI".

    However, lets be real here, and I will do a bit of devil's advocate work here. Security doesn't have a ROI:

    1: Sony is back to normal. The PSN hack didn't affect their stock price overall, and the latest hack will be forgotten in 2-3 months.

    2: Security doesn't hurt businesses. If data gets leaked, whoopty-do. China does the ODM work anyway.

    3: SANs are immune to hacking, so it just takes a restore of a snap-shotted LUN to recover lost data. Even with the fact that companies don't use offline media, but use deduplication appliances like Avamars, there has not been a single recorded case in public of a blackhat hacking one and purging it. So, what damage an intruder can do is limited.

    4: The damage done in a breach is customer data. This doesn't cause a business any harm.

    So, with the points above, why should there be focus other than maybe a PR bulletin on anything security related?