Silent Circle's Blackphone Exploited at Def Con

Def Con shows no mercy. As gleefully reported by sites several Blackberry-centric sites, researcher Justin Case yesterday demonstrated that he could root the much-heralded Blackphone in less than five minutes. From n4bb.com's linked report: "However, one of the vulnerabilities has already been patched and the other only exploitable with direct user consent. Nevertheless, this only further proves you cannot add layers of security on top of an underlying platform with security vulnerabilities." Case reacts via Twitter to the crowing: "Hey BlackBerry idiots, stop miss quoting me on your blogs. Your phone is only "secure" because it has few users and little value as a target."

Re:

[Dishevel]

Maybe we can get DARPA to decide to kill him instead of innocent passwords.

Re:What underlying platform?

[AchilleTalon]

Blackphone is not a BlackBerry phone, it is a competitor. That's why BB fans quoted Justin Case as if he did prove BB is superior to Blackphone, which isn't what he proved. BlackBerry's CEO claimed the Blackphone was only consumer-grade privacy, not business grade privacy, implying BB products are superior in terms of security. Which Justin Case doesn't agree claiming they appear safer only because they are a low interest traget to hackers.

To summarise, it is not about underlying BB platform at all, rather than about the Blackphone underlying platform.

Re:What underlying platform?

[demachina]

Not clear if Case is claiming Blackberry's were never of interest to hackers or are just of no interest lately.

Blackberrys were until recent years very high value targets, they were the phone of choice on Wall Street, for politicians and reporters.

It wasn't that long ago repressive regimes like Saudi Arabia were telling Blackberry to back door their phones/servers or get locked out of their market which tends to suggest they must have been pretty good at something.

There is probably something to be said for phones without a third party app market if security is job one. Android in particular is a pretty juicy target for malware.

Still Secret Source?

[bill_mcgonigle]

Blackphone is the "you can't look at it, but trust us" self-proclaimed "security" company, right? And it's easily exploitable?

Dog-bites-man story.

Re:Still Secret Source?

[chihowa]

It's one reason why I can't rally behind Phil Zimmerman, as much as I like PGP and appreciate much of what he's done. His insistence on keeping security software secretive and closed source, while seeming to understand the concept of trust, is baffling.

Re:

[bug1]

+1

Re:

[hsmith]

AFAIK all of blackphones source is in the public.

miss quoting

[Frankie70]

Hey BlackBerry idiots, stop miss quoting me on your blogs.

Misquoting Justin, misquoting. Not miss quoting.

Re:

[Anonymous Coward]

That's what she said. (Do you see what I did there?)

Why the story is so Blackberry focused?

[gmuslera]

How it affects Blackberry that an Android-based OS focused on security and privacy have some vulnerabilities? Is not BB10 OS based, even having an emulation layer that enables it to run Android programs. They could as well talk about iOS or Windows Phone users too. Even Tizen (that at least run Linux as Android) would be more related to this than Blackberry.

Direct user consent?

[JaredOfEuropa]

I read somewhere else that the remaining vulnerability involved "plugging the phone into a PC". A modified charger might exploit the vulnerability equally well, and it already sounds a lot worse than requiring my direct consent.

For some people (upper management, dissidents and the like), secure communication is not sufficient, they also need the phone to remain secure if it is lost or stolen. If having posession of the phone is the only thing that stands in the way of rooting it using this exploit, it

Re:Direct user consent?

[ledow]

Physical access to any electronic device is basically an avenue for compromise. You really can't avoid it - at that point, it's no longer a question of "is the device secure?" as "is is STILL secure"... the only factors are how long it's out of your possession and how many obstacles are in the way of compromising it.

Same as anything with computers - physical access to the machine means it's game over. This applies for everything from games consoles to dvd players to phones to DRM schemes to "secure boot".

Physical access is game over. If you're lucky, you've used perfect forward secrecy and implemented it perfectly and know the device is missing and immediately blacklist it from your systems. Anything else (like real-life) is a security hole.

Re:

[JaredOfEuropa]

The only factors are how long it's out of your possession and how many obstacles are in the way of compromising it.

Exactly. So in order to secure your phone, you want to throw as many obstacles in the path of the thief as possible.
PIN lock? Good.
PIN lock w/ 3 attempts and automatic wipe after? Better.
Automatic wipe if the phone has not been unlocked in a certain period of time? Even better.
Allowing unlock after a certain amount of time only if the phone can contact a certain server (so it can receive and a remote wipe command if one was issued)? Better still.
Data-at-rest is encrypted? It better be.

To get p

Re:

[GuB-42]

You have to balance things somehow. I'm not sure many people will want their phone to be wiped just because someone looks at it funny.
If you make it easy to inadvertantly wipe data, you also need to have easy to access backups and these can be a security issue in their own right.

Re:

[Dishevel]

I would be fine with that. As long as there is a central server I can get my data back from.

Shit have my phone back up every day at 11:30 PM, Wipe at 2 AM. Restore at 5 AM.

Fine by me.

Re:

[GuB-42]

Yes, auto-backup-restore from a central server is the obvious solution.
However you have to do it properly, or else, it will become the weak point. You have to be careful of packet sniffing and man-in-the-middle attacks. Your server can be attacked too. And the more convinient you make your backups, the less secure they tend to be.

I think that the best compromise to turn on full disk encryption and that in case of anomaly (such as too many failed unlocks) the phone shuts down. Properly encrypted data are alm

Re:

[Dishevel]

Yes. But what you do not want is to have physical access to the device means "Game over" in 5 minutes or less.

"Little value as target"

[Anonymous Coward]

Yeah sure. I'm sure BB has very little value as a target, not when some of the most high profile people in the world uses it that has wealth and power greater than every other person in the world with any other phone combined.

Makes me wonder where he's been living under all these time.

Re:

[93 Escort Wagon]

It was a Twitter post - so I imagine he spent roughly one second thinking about it before typing that.

But I realize it's hard to not overreact or take stuff like that personally when there are only a half-dozen of you Blackberry users left in the world.

Re:

[AchilleTalon]

What's the point about the market share? A company can be healthy and profitable without being the market leader, suffice to have a niche market share composed of wealthy customers ready to pay premium for products designed for their needs. Note, I am not saying BB is that, what I am saying is refraining about the market share size of a company is a false argument without the context.

In fact, BB's error was probably just that, go after the whole market and introduce multiple products, including low-end prod

Re:

[Luckyo]

He's living in a world where he's marketing his services to companies that sell to those masses. Not those few.

Professionals who handle security for those few don't advertise their work like this.

Cell phones are insecure.

[Kenja]

It's inherent in how they work. Rather then trying to secure them, which I don't think can be done, just start assuming they are insecure and treat them as such. Don't hold a private, personal conversation in a crowded public room and don't send text messages you don't want other people to see.

Re:

[ledow]

I think that's pessimistic. That might be how they work NOW but there's no reason that an end-to-end secure cellphone network cannot exist.

Security of the conversation is basically guaranteed using TLS etc. Provide a certificate to your contacts, instead of a phone number. That certificate can encrypt communications to yourself so only you can decrypt them.

The biggest problem is routing, but that's something that can be layered over using the data network facilities and software like Tor.

The problems all

Re:

[Miamicanes]

no reason that an end-to-end secure cellphone network cannot exist.

The problem is, you will never, EVER control every single bit & atom along the signal path between your vocal cords and the recipient's ear. Without PKI, you're vulnerable to MITM. With PKI, you're vulnerable to compromise of the PKI infrastructure itself. Or compromise to the layer that enforces PKI's use. The best you can ever really hope for is to eliminate enough failure points to at least NOTICE the possibility that your communication might be getting intercepted or compromised.

Is absolute security

Re:

[tepples]

It depends on how many ARM SoC vendors make OpenBSD a priority.

new advertising paradigm... we suck, you're safe

[swschrad]

they've tried everything else, why not that?

Lemons and Lenomaid.

[fahrbot-bot]

Nevertheless, this only further proves you cannot add layers of security on top of an underlying platform with security vulnerabilities.

Okay. And when will an underlying platform without security vulnerabilities be ready - phone or otherwise?

Interesting!

[vomitology]

Company says something is 'secure', gets proven wrong. This is *exciting stuff*, people!

Silent Circle response part 1

[mrkoot]

Silent Circle's response part 1 [medium.com]:

Blackphone rooted at DefconâS -- Part 1

Greetings from Def Con! Thus far Team Blackphone has been having a very positive Con. We have been receiving a lot of positive feedback and praise for taking on the flag of building and maintaining a secure and private smartphone system. This was a challenge that we knew full well would not be easy, but if it were easy then anyone could do it.

The researcher @TeamAndIRC was a little miffed at our initial response to his inquiry and I understand his point. In response, he had a t-shirt made that stated he rooted the Blackphone at Def Con. The ironic part to this is I would have absolutely gone over and made that t-shirt for him myself once the full vulnerability was explained. @TeamAndIRC and I had a chat here at Def Con. I would like to thank him for not blowing the issue out of proportion and going back to the twittersphere for a little more transparency by explaining that direct user interaction is required and that we had already patched one of the vulnerabilities through the OTA update.

According to @TeamAndIRC there were three issues discovered. The first one is that he was able to get ADB turned on. Turning ADB on is not a vulnerability as this is part of the Android operating system. We turned ADB off because it causes a software bug and potentially impacts the user experience, a patch is forthcoming. His second discovery is accurate and here is the point I want to stress to the community. We found this vulnerability on July 30, had the patch in QA on July 31, and the OTA update released on August 1. That is pretty fast, no?

When @TeamAndIRC details the third vulnerability today at Def Con around 2pm PST we will be on the floor. We will get the details, and feel confident that we will have the system patched just as fast as last time. That is our commitment to the community â" to close the threat window faster than any other OEM. So, for now stay tuned as we will have an update later today.

Sincerely,

Dan Ford, D.Sc. (@netsecrex)
Chief Security Officer
SGP Technologies

So they can root that... but not...

[Karmashock]

the Moto X from Verizon version 4.4.2?

there are a lot of locked bootloaders out there that so far don't seem to be breached.