Blackphone 2 Caters To the Enterprise, the Security-Minded and the Paranoid

Mark Wilson writes While much of the news coming out of MWC 2015 has been dominated by Microsoft's Lumia 640, the Samsung Galaxy S6 Edge, and tablets from Sony, there's always room for something a little different. Following on from the security-focused Blackphone, Silent Circle used the Barcelona event to announce the follow-up — the Blackphone 2. The privacy-centric company has been working on the "world's first enterprise privacy platform" for some time now and the second generation Blackphone. As you would expect, there's a faster processor than before -- an 8-core beast -- as well as an upgraded 3GB RAM, a larger 5.5 inch screen and a bigger battery than before. Blackphone 2 has a $600 price tag and will be unleashed in July.

Let me guess

[DougOtto]

Gemalto SIM card?

Re:Let me guess

[sabri]

Gemalto SIM card?

Doesn't matter. The SIM card works on the network level. The data (voice or data) is encrypted prior to transmission onto the network layer so a compromised SIM card is no problem.

Re:Let me guess

[VValdo]

I know this is the second, uh, let's-just-say-"story" about Blackphone in four days, but I think it should be noted that the stolen Gemalto keys may have included "OTA keys" that can be used for over-the-air SIM card upgrades:

Access to these encryption keys do not give governmental agencies only the power to monitor cellular communications, including calls and data, but they also come with additional perks, such as the power of instructing a device to install specific programs.

Spyware could be installed on the SIM card itself, and then it could be used to install additional spy apps on a phone without the user's knowledge, or to retrieve data from it.

From the Verge story:

Manufacturers can send a binary text message directly to the SIM card, and as long as it's signed with the proper OTA key, the card will install the attached software without question. If those keys were compromised, it would give an attacker carte blanche to install all manner of spyware.

So apparently it does matter.

Attention Seekers, too.

[BoRegardless]

Not just for "Security minded & paranoid."

"Security minded" people either don't carry cell phones or use plain burner phones housed in tin boxes when not in use and throw them away quickly.

what is this

[invictusvoyd]

privateOS based on? hope not on android

Re:But can it protect users against the Stingray?

[thoriumbr]

Yes, it will protect you. The government will still be able to intercept and listen to your calls, data and text, but they will be encrypted and they will not be able to know what you were talking about.

Expect NSA to hack Silent Circle to obtain the keys, though...

Re:But can it protect users against the Stingray?

[geekmux]

Yes, it will protect you. The government will still be able to intercept and listen to your calls, data and text, but they will be encrypted and they will not be able to know what you were talking about. Expect NSA to hack Silent Circle to obtain the keys, though...

Oh and by the way, want to know if their hacking attempts were successful or not? That's easy to determine now.

Is any Blackphone service still legal to use?

You now have your answer.

Enjoy the illusion of privacy.

The Enterprise?

[rs79]

Pretty sure they don't need "phones".

LLAP

Re:But can it protect users against the Stingray?

On the other hand, if they actually banned something, wouldn't that attract people to that service? For example, in the 1990s, PGP got a lot of attention because it was "illegal", either due to RSA patents or ITAR penalties. Now, almost nobody uses it.

One can look at Prohibition, the War on Drugs, and as of now, the gun control fight to see how well banning something works.

Re:Privacy

[PopeRatzo]

Privacy is the next big thing.

The perception of privacy is the next big thing. We've already mortgaged our privacy for beads and trinkets.

What about the non-paranoid?

This company is taking advantage of the paranoid. I want a device that actually has a chance at respecting my privacy. Your not going to get that in a true mobile phone as the GSM module is going to enable big brother to track you at all times. It's just how the thing works. What we need is a device that is mass produced, cost effective (as you need significant numbers for it to be privacy friendly), and text-oriented. That GSM modem can't be always-on or they'll learn who you are by the movements you make. We need a device that communicates only occasionally, can be purchased anonymously, and is identical to other devices-or near so. The carrier should never be able to identify the messages being sent or to whom. There also needs to be separation of the GSM modem from the main device to avoid the GSM modem being able to snoop. The GSM modem also needs to be controlled by the main device (ie so you know your in control). Then we need the source code for rest of the device. The complete set of sources. Not some “open source” device where we really don't have a clue whats going on because there is some proprietary piece.

Re:But can it protect users against the Stingray?

[drinkypoo]

Yes, it will protect you. The government will still be able to intercept and listen to your calls, data and text, but they will be encrypted and they will not be able to know what you were talking about.

But if you just have mobile data, you can do all that now with a typical Android phone without even installing additional software.* Just configure IPSEC to encrypt your SIP communications (you're going to need someplace for them to go, with IPSEC, that's your problem) and then configure the SIP phone to connect to your server, and finally make your calls via SIP. If you want to go WiFi-only, you can disable the cellular antenna for added security (or just buy a device without cell support in the first place, obviously.)

* My SIP settings went missing. They're not where they're supposed to be. Moto G, 5.0.2.

I don't think so...

[VValdo]

...except my cable modem does not share storage with my PC. On the other hand, the baseband and Android system (not to mention the device-specific efs/imei stuff and the user data stuff) are all located on the same emmc on many devices. (Hence the ability to "flash a new radio")

Could the baseband access or change data on the Android partitions or the efs data? I'm not sure, but the articles suggest to me that they could.

Also, my cable modem doesn't share memory with my PC either: ....the application processor (with Android e.g.) and the baseband processor can share memory, so that an attack and takeover of the baseband stack offers the possibility to attack Android.

The baseband may have a separate CPU from Android, but it could access peripherals, sensors, etc. As an example:

The baseband processor (and thus REX OS) has direct access to the phoneâ(TM)s hardware (speakers, microphones), and also seemingly the ability to write to the same memory as the SoC (or application processor).

That's bad.

Also, unlike your cable modem analogy, which communicates to your router via a known network protocol, the baseband communicates with Android in most cases via the involvement of closed-source, mysterious "binary blobs".

So I guess if your cable modem were fused to your computer, sharing a hard drive, with direct access to its memory and peripherals, and communicating to your computer via a mysterious unauditable binary, then maybe your analogy would hold up.

Re:Not Paranoid Enough!

[currently_awake]

The NSA has the resources to backdoor the hardware, the drivers, the baseband firmware, and the software devs working on the project. But if this sells then others will follow. And those others will improve on security.