Blackphone given black eye by vulnerability discovery

A vulnerability that allows an attacker to act as a 'shell user' on the first version of SilentCircle's Blackphone has been discovered by SentinelOne.

A vulnerability that allows an attacker to act as a ‘shell user' on the first version of SilentCircle's Blackphone has been discovered by SentinelOne, purveyors of endpoint security.

The Blackphone gained notoriety in the security industry for being the only phone that provides users control over app permissions, such as the bundled Silent Phone and Silent Text services that anonymise and encrypt communications so no one can eavesdrop on voice, video and text calls.

While preparing for a Red Naga training session, Tim Strazzere's team at SentinalOne found a vulnerability within the Nvidia modem onboard the Blackphone. SentinalOne said that they discovered a socket was left open and accessible:

shell@blackphone:/dev/socket $ ls -l at_pal
srw-rw-rw- radio system 2015-07-31 17:51 at_pal

This meant that the following was possible:

  • Sending / receiving text messages or without the user knowing in any way
  • Dial or connect calls 
  • Check the state of phone calls silently 
  • Reset APN/SMSC/Power settings
  • Force conference calls with other numbers
  • Force/unforce caller ID settings
  • Find neighbouring cell towers connected to
  • Silently register a call forwarding number

The vulnerability has now been patched. Standing by the Blackphone, Strazzere pointed out in his blog on his findings that, “The Blackphone is generally considered the most secure smartphone available today.”

SilentCircle were contacted for comments, but instead sent a blog post which says they stand by the phone and would still say it is the most secure Android smartphones on the market, mostly because of their commitment to quick patching.