Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security-Focused BlackPhone Was Vulnerable To Simple Text Message Bug

Posted by Soulskill on from the nobody's-perfect dept.

mask.of.sanity sends this report from El Reg: The maker of BlackPhone – a mobile marketed as offering unusually high levels of security – has patched a critical vulnerability that allows hackers to run malicious code on the handsets. Attackers need little more than a phone number to send a message that can compromise the devices via the Silent Text application.

The impact of the flaw is troubling because BlackPhone attracts what hackers see as high-value victims: those willing to invest AU$765 (£415, $630) in a phone that claims to put security above form and features may well have valuable calls and texts to hide from eavesdroppers.

22 of 46 comments (clear)

  1. Security is a process ... by gstoddart · · Score: 5, Insightful

    The problem with security is it is an on-going process, and it takes time. Which means the trust that you actually are secure also takes time.

    So, just because you started out thinking "Oh boy, are we going to be hella secure" -- it takes a long time to FIND all those things which defeat that, and just as long to convince everybody that you've done it.

    Almost as soon as I heard of this phone my first thought was "gee, you're brand new, why should be trust that you've got it sorted out".

    And, as TFS says ... this phone is used by people who want additional security. What the hell made you think you wouldn't be immediately targeted? This is like advertising you have an unbreakable vault ... now everybody wants to prove you wrong.

    I think they started trading on a reputation they hadn't earned yet, and now it's biting them in the ass.

    --
    Lost at C:>. Found at C.
    1. Re:Security is a process ... by BreakBad · · Score: 3, Interesting

      They should have called it 'GreyPhone', maybe one day, after many updates, 'DarkGreyPhone'. But lets face it...BlackPhone may just be unobtainable.

    2. Re:Security is a process ... by AchilleTalon · · Score: 2

      I'd say fifty shades of grey phone due to the sado-masochist practices that resulted from its introduction in the market.

      --
      Achille Talon
      Hop!
    3. Re:Security is a process ... by Anonymous Coward · · Score: 2, Informative

      It isn't IT, it is a mindset of a lot of companies that security, and IT in general are cost centers. There is a mantra that "security has no ROI".

      However, lets be real here, and I will do a bit of devil's advocate work here. Security doesn't have a ROI:

      1: Sony is back to normal. The PSN hack didn't affect their stock price overall, and the latest hack will be forgotten in 2-3 months.

      2: Security doesn't hurt businesses. If data gets leaked, whoopty-do. China does the ODM work anyway.

      3: SANs are immune to hacking, so it just takes a restore of a snap-shotted LUN to recover lost data. Even with the fact that companies don't use offline media, but use deduplication appliances like Avamars, there has not been a single recorded case in public of a blackhat hacking one and purging it. So, what damage an intruder can do is limited.

      4: The damage done in a breach is customer data. This doesn't cause a business any harm.

      So, with the points above, why should there be focus other than maybe a PR bulletin on anything security related?

    4. Re:Security is a process ... by mlts · · Score: 4, Insightful

      The problem is that a company that has security as part of their mindset is hard to find. Most at best have it as an afterthought, something strapped on at the last moment.

      Security takes R&D, just like everything else. Would I expect a v1.0 product to be secure, especially from focused attack by people who want to bypass it? No, and not even in a v1.0.10 product. Breaches will happen for the first few years.

      However, I will state one thing about BlackPhone: They fixed the issue. Other vendors would just tell their customers to buy a new smartphone or go pound sand. Where the rubber meets the road is how security flaws are handled. Are they acknowledged and patched, or are they covered up, flagged as FNR (fixed in next release), and only threats of litigation able to actually get the vendor to make a patch. There will -always- be flaws. However, part of a company selling security is how they respond to issues, and here, BlackPhone has performed quite well. There was a problem, they fixed it, and that is what matters.

    5. Re:Security is a process ... by Nerrd · · Score: 2

      "SANs are immune to hacking" Oh man. That is rich. Can I interest you in a very fine Bridge? only slightly used.

    6. Re:Security is a process ... by IamTheRealMike · · Score: 3

      There will -always- be flaws. However, part of a company selling security is how they respond to issues, and here, BlackPhone has performed quite well. There was a problem, they fixed it, and that is what matters.

      I agree that how a company handles incident response is important and the BlackPhone guys have apparently handled this well.

      However, there are several things that are troubling about this story which lead me to not trust BlackPhone and question the security experience of the people designing it.

      The first thing we notice about this exploit is that the library in question appears to be written in C, even though it's newly written code that is parsing complex data structures straight off the wire from people who might be attackers. What is this, 1976? These guys aren't programming smartcard chips without an OS, they're writing a text messaging app that runs on phones in which the OS is written in Java. Why the hell is the core of their secure messaging protocol written in C?

      The second thing we notice is that the bug occurs due to a type confusion attack whilst parsing JSON. JSON?! Yup, SCIMP messages apparently contain binary signatures which are base 64 encoded, wrapped in JSON, and then base64 encoded again. A more bizarre or error-prone format is difficult to imagine. They manage to combine the efficiency of double-base64 encoding binary data with the tightness and simplicity of a text based format inspired by a scripting language which has, for example, only one kind of number (floating point). They get the joy of handling many different kinds of whitespace, escaping bugs, etc. And to repeat, they are parsing this mess of unneeded complexity .... in C.

      Compare this to TextSecure, an app that does the same thing as the BlackPhone SMS app. TextSecure is written by Moxie Marlinspike, a man who Knows What He Is Doing(tm). TextSecure uses protocol buffers, a very simple and efficient binary format with a schema language and compiler. There is minimal scope for type confusion. Moreover, the entire app is written in Java, so there is no possibility of memory management errors whilst trying to read messages crafted by an attacker. By doing things this way they eliminate entire categories of bugs in one fell swoop.

      So yes, whilst the BlackPhone team should be commended for getting a patch out to their users, this whole incident just raises deep questions about their design decisions and development processes. The fact that such a bug could occur should have been mind-blowingly obvious from the moment they wrote their first line of code.

  2. pretty much expected. by nimbius · · Score: 4, Interesting

    Blackphone arguably isnt interested in real security at all, just theatre. Their phone is Android, but their entire range of security applications (the part that keeps you safe) is proprietary, closed source, and subscription based. Blackphone exists for the paranoid executive banging the mistress, the paranoid trophy wife banging the pool boy, and the paranoid celebrity with a panic room.
    Check out https://prism-break.org/ for real security. The open source community has worked hard for decades to help keep you safe and secure. Sometimes we dont have the sexiest branding, but for that tradeoff you get more than a promise. you get the source.

    --
    Good people go to bed earlier.
    1. Re:pretty much expected. by sasparillascott · · Score: 4, Informative

      Um, because one of the guys at the top of that company is Phil Zimmerman who created PGP? And they moved the company to Switzerland to avoid the entangling fingers of the U.S. government surveillance state.

      As to fixing bugs, that will always be an ongoing process. I'd like it better if they were open source, but I'd trust them better than most companies. JMHO...

    2. Re:pretty much expected. by jellomizer · · Score: 4, Insightful

      IT security is about tradeoffs.
      The idea of 100% security while possible, it impractical.
      Your argument about Blackphone is the fact they are not supportive of the OSS mind set, So you judging the quality of the technology based on what type of license it has.

      Ok a flaw was found, and they put in a fix for it, what else do you expect from them?

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    3. Re:pretty much expected. by TWX · · Score: 2

      ie, "I want to go live somewhere beautiful and I'm rich, how's Switzerland this time of year?"

      --
      Do not look into laser with remaining eye.
    4. Re:pretty much expected. by buchner.johannes · · Score: 2

      IT security is about tradeoffs.

      Not true, you can have worse security without gaining anything. So you can also increase security without loosing any comfort. You are setting up a false premise that more security always requires a sacrifice. What we really need instead is a measure of achieved security, to rid ourselves of unnecessary, security-theatre-based sacrifices both in terms of privacy and money.

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    5. Re:pretty much expected. by mlts · · Score: 2

      This is one reason why I have hedged on buying one. How are they better from CyanogenMod, and for tools, open-source items, be it apg, K-9, EncFS (so files can be secured on both SD cards and cloud providers), RedPhone, TextSecure, and other apps that have their source available if one wants to manually look it it.

      I respect PRZ incredibly, but one of the reasons why I continue to use PGP even though he states that it is obsolete is that PGP (and GnuPG) are open source... and they are platform and transport mechanism independent. I can send an OpenPGP ASCII armored packet via E-mail, texting, XMPP, Facebook, or any other messaging protocol. I do respect PRZ by founding a security company in an era where most "security" is PR, but I prefer to pack my own parachute and use the tried and true.

    6. Re:pretty much expected. by Archangel+Michael · · Score: 2

      More security requires more diligence, which is often inconvenient. More security requires everyone to be secure, not just some, and that is definitely inconvenient, and requires trust that others are not putting you in danger (insecure), which requires compliance checks and verification, which is inconvenient. Technology can take the edge off the inconvenience, but isn't the panacea that everyone wants it to be.

      The weakest link in security is people. Always has been, always will be.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  3. Phone mode also at risk... by The+New+Guy+2.0 · · Score: 4, Insightful

    It seems that the phone app on this device is susceptible to "Bank Impersonation" calls where the caller pretends to be from a bank when actually is a scam artist.

  4. Re:Most secure phone there is? by sasparillascott · · Score: 2

    I doubt the creator of PGP would be in on that conspiracy - since he's at the top of the company. I would expect that if the NSA didn't like that company (and they don't), they would do whatever they could to sabotage their commercial success, particularly via word of mouth.

    As for mobile phones, you really need to go back far enough before location information was integrated into them (long before smartphones).

  5. But, But by BoRegardless · · Score: 2

    BlackPhone is TOTALLY 100% SECURE, when it is turned off

    1. Re:But, But by ArhcAngel · · Score: 3, Informative

      You meant that as a joke but when Microsoft first attained government security (C2 IIRC) certification for Windows NT there was a little asterisk by the cert. For the OS to be considered C2 compliant it must not be connected to a network in any way.

      --
      "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
  6. Nothing is unhackable by Anonymous Coward · · Score: 2, Informative

    nowhere do they claim they are unhackable. It's just better than the alternatives. And at a consumer price at that.

    It's more secure than blackberry, no back doors, and comparable to $2k+ solutions. It also runs android apps.

    So yes, it's a trade off. If you want the ultimately secure phone, you're going to end up talking only to yourself.

    1. Re:Nothing is unhackable by mlts · · Score: 3, Interesting

      It does have its appeal. For the average user who isn't that technical, and who doesn't know/care how to use PGP or gnuPG, this phone is a step up. At least a user who bought this will get better fixes with regards to security issues than with a lot of smartphones.

      My biggest complaint is that it is a closed ecosystem. It would be nice if other devices that are not BlackPhones can run the apps so there can be a wider customer base. Otherwise, the device's acceptance will be hindered because everyone has to have that specific maker's phone. Plus, for every closed application, there is an open alternative.

      Maybe the ideal would be to get PGP working independently and transparently with text messaging [1], mail, voice, video, and other items. That way, the metadata can be protected via one layer, but the actual contents are protected no matter what, even if the protocol is completely broken wide open.

      [1]: An ideal would be something where sender's device would check if the receiver had the ability to receive (likely having the app poll a server every so often), and if so, send it over the Internet (mainly so it can be acknowledged it was received). If not, send it via SMS/MMS. Unlike iMessage, it would fall back and not assume that a specific app was installed and running.

  7. Re:630 US$ ? by Minwee · · Score: 2

    630 US$ ? Isn't that about the same price as an iPhone 5s, and less than the price of the iPhone 6/6+ ?

    You must be confused. iPhones are free. It says so right on the top of this contract I just signed. Sure, I have to pay more than $2000 over the next two years but the phone is free! It says so right here!

    Would the phone company lie to me?

  8. Not "troubling", the word should be "sobering." by Kazoo+the+Clown · · Score: 2

    Bugs happen. Vulnerabilities may exist. Get used to it. You have to start somewhere. The important thing is to reject the incessant creeping featurism that is the source of most bugs and vulnerabilities.