BlackPhone was also hacked last year at the BlackHat security conference, but the interesting factor about the recent hack was that the attackers only needed to send just a message on a targeted phone number in order to compromise the device.
The vulnerability was first discovered and disclosed by Mark Dowd, a principal security researcher at the Australia-based consultancy firm Azimuth Security. Dowd discovered the issue late in 2014, but waited to disclose it until Blackphone got their patches and fixes in place.
The flaw actually resides in Silent Text application — the secure text messaging application bundled with the BlackPhone handsets, which is also freely available as Android App on Google Play Store.
Exploiting the vulnerability would have allowed hackers to perform following tasks:
- Decrypt messages and read messages
- Read and steal contacts
- Monitor geographic locations of the phone
- Write code or text to the phone's external storage
- Enumerate the accounts stored on the device
"Successful exploitation can yield remote code execution with the privileges of the Silent Text application, which runs as a regular Android app, but with some additional system privileges required to perform its SMS-like functionality such as access to contacts, access to location information, the ability to write to external storage, and of course net access," Dowd said.
The vulnerability occurred due to a component known as libscimp — the BlackPhone implementation of the Silent Circle Instant Messaging Protocol (SCIMP) which runs on the Extensible Messaging and Presence Protocol (XMPP) — that contained a type of memory corruption flaw known as a type confusion vulnerability.
SCIMP is used by the creators of BlackPhone in an effort to create a secure end-to-end encryption channel between people sending text messages. It also handles the transportation of the encrypted data through the channel.
Now, this SCIMP implementation supplied with SilentText contains a type confusion vulnerability, typically allowing attackers to "directly overwrite a pointer in memory (either partially or in full), which when successfully exploited can be used to gain remote, unauthenticated access to the vulnerable device."
Dowd has given a solid technical description on his blog, so you may refer his blog post for more detailed explanation about the critical vulnerability.
The vulnerability has since been patched, but it is a powerful reminder for those who, no doubt, did a lot of things right to provide strong encryption to its users, but in this era of more complex software and advanced hacking, there is no such guarantee that your product can not be hacked.
