Slashdot Mirror

← Back to Stories (view on slashdot.org)

Encrypted Blackphone Patches Serious Modem Flaw (threatpost.com)

Posted by samzenpus on from the now-more-secure dept.

msm1267 writes: Silent Circle, makers of the security and privacy focused Blackphone, have patched a vulnerability that could allow a malicious mobile application or remote attacker to access the device's modem and perform any number of actions. Researchers at SentinelOne discovered an open socket on the Blackphone that an attacker could abuse to intercept calls, set call forwarding, read SMS messages, mute the phone and more. Blackphone is marketed toward privacy-conscious users; it includes encrypted messaging apps such as SilentText and Silent Phone, and it runs on a customized, secure version of Android, called PrivatOS.

7 of 27 comments (clear)

  1. Baseband processors are the problem by Gravis+Zero · · Score: 4, Interesting

    Baseband processors (aka modems) have been the greatest technical weakness in cellphones since the dawn of SIM cards. They operate independently of the primary CPU and still crash when fuzzed and yet still have DMA lines to your RAM. Perhaps the bigger problem is how absurdly complex the ever growing number of protocol standards there are for baseband processors.

    --
    Anons need not reply. Questions end with a question mark.
  2. Neo900 phone by Anonymous Coward · · Score: 4, Interesting

    The Neo900.org phone deliberately uses a CPU that does not have a modem built into it. The modem is a separate chip, and there is a watchdog chip that instantly resets it if it tries to do anything when supposed to be off.

    1. Re: Neo900 phone by bill_mcgonigle · · Score: 3, Interesting

      Reportedly they've gotten PayPal to cripple that project.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    2. Re:Neo900 phone by Gravis+Zero · · Score: 2

      Its also physically impossible for anyone to remotely activate the microphone on the Neo900 or remotely steal audio

      unless there is a switch that you have to manually flip to connect and disconnect the microphone, you don't understand what "physically impossible" actually means.

      --
      Anons need not reply. Questions end with a question mark.
    3. Re:Neo900 phone by Anonymous Coward · · Score: 2, Interesting

      From their FAQ:
      http://neo900.org/faq

      Isn't a non-free baseband firmware a privacy issue?

      We're going to address privacy concerns of non-free modem firmware by ensuring that the modem has access to no more data than absolutely necessary, so it won't be able to spy on anything that's not already available on carrier side. On Neo900 one can be sure that the modem is actually turned off when requested, not just pretending to be. Users will be notified in case of the modem wanting to do something without their consent.

      Unlike some other smartphones do, Neo900 won't share system RAM with the modem and system CPU will always have full control over the microphone signal sent to the modem. You can think of it as a USB dongle connected to the PC, with you in full control over the drivers, with a virtual LED to show any modem activity

  3. Nvidia baseband source code was available by xarragon · · Score: 4, Informative

    The exploit is not in the baseband; it is a local socket on the phone accessible by apps with no special privileges (as far as I can tell).

    Phil Zimmerman gave a talk on the Blackphone at Defcon 22:
    DEF CON 22 How To Get Phone Companies To Just Say No To Wiretapping

    I have transcribed this from the time 26:10 in the video:
    26:10 Question from audience member:
            Hi, so traditional phones are dependant on the baseband processor,
            which has a whole lot of flaws depending on the protocols that they
            are using. What are you doing to mitigate baseband processor factors?

            Zimmerman:
            Yeah, that is a good question. We had a meeting at Nvidia, because
            Nvidia makes the chipsets that we are using for Blackphone.
            And Nvidia had apparently aquired a company a while back that
            made a baseband processor. It was built around a software defined
            radio.

            And I asked them that questiom; Can we do an independant security
            review for the for firmware for the baseband processor.
            And they said they would be open to that.

            In fact, they were delighted to have a customer expressing interest
            in really taking a close look at their baseband processor;
            no other customer had ever brought up the question before.

            You know, no other customer is as obsessive over it as we are.

    I guess they should have spent some time looking at their own stuff rather than other people's code in this case.

  4. Re:Aaaand it's gone! by Yonder+Way · · Score: 2

    Zero credibility.

    Any competent University CS major programmer could have figured out this was a stupid fucking hole. They are clearly incompetent and should not be in the security industry.

    Yeah... who the fuck does this Phil Zimmermann guy think he is?