What is arguably the world’s most secure Smartphone may not be quite as secure as users have been led to believe. A hackable bug has been discovered that allows Silent Circle’s Blackphone 1 to be hijacked.
On its release, Silent Circle’s Blackphone was billed as being the first Smartphone designed with privacy at the core of its design. The phone looks like any other Smartphone and functions just like an Android device. However, it runs on Silent OS, a custom-designed Android OS that to all intents and purposes closes all possible backdoors. At least, that was the plan. It turns out that not all backdoors have actually been closed.
Backdoor Exists in World’s Most Secure Smartphone
Researchers at SentinalOne have discovered that one backdoor exists that allows the ultra-secure Smartphone to be hijacked by hackers. While the user will believe their phone calls and text messages are perfectly secure, a hacker could be listening in to calls and monitoring the numbers that are being dialed or received. The security flaw would also allow an attacker to read text messages sent or received, change caller ID settings, mute the modem speaker, kill the modem, silently check numbers, make calls via the phone, or force conference calls with other individuals.
A person attempting to call the user of a hijacked Blackphone could have that phone call directed to the attacker without the Blackphone user being aware that the call is taking place.
The Blackphone security vulnerability is not in the software, but is a security flaw in the device’s inbuilt modem. The modem contains an open socket which potentially allows a hacker to run radio commands. The open port could potentially have been used by the developers of the phone for debugging functions, yet the internal port was not secured before its release. A simple oversight maybe, but one which potentially leaves the phone wide open to attack by hackers.
The vulnerability could potentially be exploited via a malicious app, or it is conceivable that the owner of the phone could be targeted with a phishing campaign and convinced to run malicious code.
Researchers do not believe that the vulnerability has been exploited in the wild, and a software update has now been issued to address the vulnerability. All users must update to 1.1.13 RC3 or above to secure their device. Now that the vulnerability has been disclosed the update is critical.
A bug in a Smartphone is to be expected, but for one to exist in what is supposedly one of the world’s most secure Smartphone is something of a worry. Furthermore, this is not the only Blackphone bug discovered. Last year a Blackphone security vulnerability was uncovered in its secure messaging application. The memory corruption vulnerability could be exploited remotely by a hacker and used to gain the privileges of the messaging application. This would enable the attacker to decrypt the Blackphone’s encrypted messages, read contact information, run code, or write to external storage.