Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security-Focused BlackPhone Was Vulnerable To Simple Text Message Bug

Posted by Soulskill on from the nobody's-perfect dept.

mask.of.sanity sends this report from El Reg: The maker of BlackPhone – a mobile marketed as offering unusually high levels of security – has patched a critical vulnerability that allows hackers to run malicious code on the handsets. Attackers need little more than a phone number to send a message that can compromise the devices via the Silent Text application.

The impact of the flaw is troubling because BlackPhone attracts what hackers see as high-value victims: those willing to invest AU$765 (£415, $630) in a phone that claims to put security above form and features may well have valuable calls and texts to hide from eavesdroppers.

6 of 46 comments (clear)

  1. Security is a process ... by gstoddart · · Score: 5, Insightful

    The problem with security is it is an on-going process, and it takes time. Which means the trust that you actually are secure also takes time.

    So, just because you started out thinking "Oh boy, are we going to be hella secure" -- it takes a long time to FIND all those things which defeat that, and just as long to convince everybody that you've done it.

    Almost as soon as I heard of this phone my first thought was "gee, you're brand new, why should be trust that you've got it sorted out".

    And, as TFS says ... this phone is used by people who want additional security. What the hell made you think you wouldn't be immediately targeted? This is like advertising you have an unbreakable vault ... now everybody wants to prove you wrong.

    I think they started trading on a reputation they hadn't earned yet, and now it's biting them in the ass.

    --
    Lost at C:>. Found at C.
    1. Re:Security is a process ... by mlts · · Score: 4, Insightful

      The problem is that a company that has security as part of their mindset is hard to find. Most at best have it as an afterthought, something strapped on at the last moment.

      Security takes R&D, just like everything else. Would I expect a v1.0 product to be secure, especially from focused attack by people who want to bypass it? No, and not even in a v1.0.10 product. Breaches will happen for the first few years.

      However, I will state one thing about BlackPhone: They fixed the issue. Other vendors would just tell their customers to buy a new smartphone or go pound sand. Where the rubber meets the road is how security flaws are handled. Are they acknowledged and patched, or are they covered up, flagged as FNR (fixed in next release), and only threats of litigation able to actually get the vendor to make a patch. There will -always- be flaws. However, part of a company selling security is how they respond to issues, and here, BlackPhone has performed quite well. There was a problem, they fixed it, and that is what matters.

  2. pretty much expected. by nimbius · · Score: 4, Interesting

    Blackphone arguably isnt interested in real security at all, just theatre. Their phone is Android, but their entire range of security applications (the part that keeps you safe) is proprietary, closed source, and subscription based. Blackphone exists for the paranoid executive banging the mistress, the paranoid trophy wife banging the pool boy, and the paranoid celebrity with a panic room.
    Check out https://prism-break.org/ for real security. The open source community has worked hard for decades to help keep you safe and secure. Sometimes we dont have the sexiest branding, but for that tradeoff you get more than a promise. you get the source.

    --
    Good people go to bed earlier.
    1. Re:pretty much expected. by sasparillascott · · Score: 4, Informative

      Um, because one of the guys at the top of that company is Phil Zimmerman who created PGP? And they moved the company to Switzerland to avoid the entangling fingers of the U.S. government surveillance state.

      As to fixing bugs, that will always be an ongoing process. I'd like it better if they were open source, but I'd trust them better than most companies. JMHO...

    2. Re:pretty much expected. by jellomizer · · Score: 4, Insightful

      IT security is about tradeoffs.
      The idea of 100% security while possible, it impractical.
      Your argument about Blackphone is the fact they are not supportive of the OSS mind set, So you judging the quality of the technology based on what type of license it has.

      Ok a flaw was found, and they put in a fix for it, what else do you expect from them?

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  3. Phone mode also at risk... by The+New+Guy+2.0 · · Score: 4, Insightful

    It seems that the phone app on this device is susceptible to "Bank Impersonation" calls where the caller pretends to be from a bank when actually is a scam artist.