Encrypted Blackphone Patches Serious Modem Flaw (threatpost.com)

← Back to Stories (view on slashdot.org)

Encrypted Blackphone Patches Serious Modem Flaw (threatpost.com)

Posted by samzenpus on Wednesday January 6, 2016 @08:02PM from the now-more-secure dept.

msm1267 writes: Silent Circle, makers of the security and privacy focused Blackphone, have patched a vulnerability that could allow a malicious mobile application or remote attacker to access the device's modem and perform any number of actions. Researchers at SentinelOne discovered an open socket on the Blackphone that an attacker could abuse to intercept calls, set call forwarding, read SMS messages, mute the phone and more. Blackphone is marketed toward privacy-conscious users; it includes encrypted messaging apps such as SilentText and Silent Phone, and it runs on a customized, secure version of Android, called PrivatOS.

27 comments

Min score:

Reason:

Sort:

Baseband processors are the problem by Gravis+Zero · 2016-01-06 20:51 · Score: 4, Interesting

Baseband processors (aka modems) have been the greatest technical weakness in cellphones since the dawn of SIM cards. They operate independently of the primary CPU and still crash when fuzzed and yet still have DMA lines to your RAM. Perhaps the bigger problem is how absurdly complex the ever growing number of protocol standards there are for baseband processors.

--
Anons need not reply. Questions end with a question mark.
1. Re:Baseband processors are the problem by Anonymous Coward · 2016-01-07 03:21 · Score: 0
  
  It's a cell phone. You are still tagged like wildlife.
Neo900 phone by Anonymous Coward · 2016-01-06 20:57 · Score: 4, Interesting

The Neo900.org phone deliberately uses a CPU that does not have a modem built into it. The modem is a separate chip, and there is a watchdog chip that instantly resets it if it tries to do anything when supposed to be off.
1. Re:Neo900 phone by jonwil · 2016-01-06 22:04 · Score: 1
  
  Its also physically impossible for anyone to remotely activate the microphone on the Neo900 or remotely steal audio (all audio that gets sent to the modem goes via the AP and some still-being-written open source userspace blobs (which I happen to be involved with in a limited way)
2. Re: Neo900 phone by bill_mcgonigle · 2016-01-06 22:07 · Score: 3, Interesting
  
  Reportedly they've gotten PayPal to cripple that project.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
3. Re: Neo900 phone by Coisiche · 2016-01-06 22:23 · Score: 1
  
  Looks pretty much like someone thought that they'd be buying a phone and complained to PayPal when they didn't get one and then PayPal treat it like any old eBay auction dispute.
4. Re: Neo900 phone by Anonymous Coward · 2016-01-07 00:47 · Score: 0
  
  Maybe PayPal thought it was weird that their website indicates they don't expect to make money selling a $1200 phone in a used case.
5. Re:Neo900 phone by Gravis+Zero · 2016-01-07 02:00 · Score: 2
  
  Its also physically impossible for anyone to remotely activate the microphone on the Neo900 or remotely steal audio
  unless there is a switch that you have to manually flip to connect and disconnect the microphone, you don't understand what "physically impossible" actually means.
  
  --
  Anons need not reply. Questions end with a question mark.
6. Re:Neo900 phone by Gravis+Zero · 2016-01-07 02:04 · Score: 1
  
  The Neo900.org phone deliberately uses a CPU that does not have a modem built into it. The modem is a separate chip
  this is the case with almost all cellphones.
  
  and there is a watchdog chip that instantly resets it if it tries to do anything when supposed to be off.
  that's interesting but far from bullet-proof. the modem chip they are using, yep, made and programmed by gemalto. basically, it's security is only a smidgen better than every other cellphone on the market.
  
  --
  Anons need not reply. Questions end with a question mark.
7. Re:Neo900 phone by Anonymous Coward · 2016-01-07 02:14 · Score: 2, Interesting
  
  From their FAQ:
  http://neo900.org/faq
  Isn't a non-free baseband firmware a privacy issue?
  We're going to address privacy concerns of non-free modem firmware by ensuring that the modem has access to no more data than absolutely necessary, so it won't be able to spy on anything that's not already available on carrier side. On Neo900 one can be sure that the modem is actually turned off when requested, not just pretending to be. Users will be notified in case of the modem wanting to do something without their consent.
  Unlike some other smartphones do, Neo900 won't share system RAM with the modem and system CPU will always have full control over the microphone signal sent to the modem. You can think of it as a USB dongle connected to the PC, with you in full control over the drivers, with a virtual LED to show any modem activity
In Other Words by Anonymous Coward · 2016-01-06 23:51 · Score: 0

The NSA has had access to Blackphones since day 1.
Black desk phone by Anonymous Coward · 2016-01-07 00:04 · Score: 0

With extra insulation so the annoying whine doesn't escape the acoustic coupler.
Aaaand it's gone! by Anonymous Coward · 2016-01-07 00:06 · Score: 0

Zero credibility.
Any competent University CS major programmer could have figured out this was a stupid fucking hole. They are clearly incompetent and should not be in the security industry.
1. Re:Aaaand it's gone! by Yonder+Way · 2016-01-07 04:20 · Score: 2
  
  Zero credibility.
  Any competent University CS major programmer could have figured out this was a stupid fucking hole. They are clearly incompetent and should not be in the security industry.
  Yeah... who the fuck does this Phil Zimmermann guy think he is?
Secure Blackphone wasn't secure .. by Marcomasino · 2016-01-07 00:33 · Score: 0

Why didn't they pick this up in the security audit. They did test for security before releasing to market?
1. Re:Secure Blackphone wasn't secure .. by Opportunist · 2016-01-07 01:59 · Score: 1
  
  Contrary to popular and Hollywood belief, security experts are no magical beings that can instantly and flawlessly identify every security hole a product could ever have. There is also the problem that no hacker has ever managed to hack into a system he himself secured. For obvious reasons: If he knew there was a flaw, he would have patched it first.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
2. Re: Secure Blackphone wasn't secure .. by Anonymous Coward · 2016-01-09 10:35 · Score: 0
  
  That's wishful thinking. I would not bet money on your thinking a hacker would close all possible holes. They might not have time, or they discover a bug after release. Ever go through weeks of QA, release to production, and have 3 new bugs reported in 24 hours? No one is perfect, no one is pure sunshine in intent.
They had baseband sourcecode access by Anonymous Coward · 2016-01-07 00:55 · Score: 0

According to an interview that I think I heard in an old episode of risky.biz, the blackphone creators actually got access to source code for the modem. I remember this specifically because I was surprised about Nvidia being in that hardware business AND allowing them to audit it. I thought that would be a unique selling point. Too bad they seem to have forgotten to audit their own stuff instead.
Nvidia baseband source code was available by xarragon · 2016-01-07 02:29 · Score: 4, Informative

The exploit is not in the baseband; it is a local socket on the phone accessible by apps with no special privileges (as far as I can tell).
Phil Zimmerman gave a talk on the Blackphone at Defcon 22:
DEF CON 22 How To Get Phone Companies To Just Say No To Wiretapping
I have transcribed this from the time 26:10 in the video:
26:10 Question from audience member:
Hi, so traditional phones are dependant on the baseband processor,
which has a whole lot of flaws depending on the protocols that they
are using. What are you doing to mitigate baseband processor factors?
Zimmerman:
Yeah, that is a good question. We had a meeting at Nvidia, because
Nvidia makes the chipsets that we are using for Blackphone.
And Nvidia had apparently aquired a company a while back that
made a baseband processor. It was built around a software defined
radio.
And I asked them that questiom; Can we do an independant security
review for the for firmware for the baseband processor.
And they said they would be open to that.
In fact, they were delighted to have a customer expressing interest
in really taking a close look at their baseband processor;
no other customer had ever brought up the question before.
You know, no other customer is as obsessive over it as we are.
I guess they should have spent some time looking at their own stuff rather than other people's code in this case.
1. Re:Nvidia baseband source code was available by NormalVisual · 2016-01-07 04:19 · Score: 1
  
  I guess they should have spent some time looking at their own stuff rather than other people's code in this case.
  
  Yeah, really. I would have thought that a product being advertised has having such comprehensive security would have each firmware release candidate thoroughly tested for such things under a variety of situations. Having missed an open port listening for traffic, even if it's only in the internal environment, doesn't give me a lot of confidence that there aren't other problems to be found.
  
  --
  Please stand clear of the doors, por favor mantenganse alejado de las puertas
2. Re:Nvidia baseband source code was available by swb · 2016-01-07 04:39 · Score: 1
  
  How can they possibly be expected to keep up with the latest trends in user interface graphic design if they spend their resources on complex and time-consuming security reviews? We need to rev this sucker every 9-12 months with new GUI designs to keep it fresh and relevant. UI experts are finding new and improved ways to do familiar tasks based on the latest trends in all-white backgrounds, small type, big buttons and the latest in little spinning widgets that show you how hard your phone is working.
  If we devoted efforts on security reviews, we'd have to keep pushing out a familiar, old-fashioned user interfaces that would look out of place at the newest yoga studios, craft breweries and locally sourced, cruelty free, organic beard grooming parlors.
More at play? by AtomicSymphonic · 2016-01-07 04:45 · Score: 1

From what I'm reading on their web post about the issue, it seems like there might be *ulterior motives* to PayPal blocking Neo900 from getting their funds to run business as usual.
Probably because the tech inside the phone (modem separated from CPU and cannot be remotely activated whatsoever) poses a real danger to surveillance efforts from the US government, at least.
This is, of course, all speculation with a dash of paranoia. Maybe it is just some technicality that will be resolved in short order.