Forgot your password?
typodupeerror
Security Android Blackberry Cellphones Communications Encryption Handhelds Privacy

Silent Circle's Blackphone Exploited at Def Con 46

Posted by timothy
from the outharshing-one-another dept.
Def Con shows no mercy. As gleefully reported by sites several Blackberry-centric sites, researcher Justin Case yesterday demonstrated that he could root the much-heralded Blackphone in less than five minutes. From n4bb.com's linked report: "However, one of the vulnerabilities has already been patched and the other only exploitable with direct user consent. Nevertheless, this only further proves you cannot add layers of security on top of an underlying platform with security vulnerabilities." Case reacts via Twitter to the crowing: "Hey BlackBerry idiots, stop miss quoting me on your blogs. Your phone is only "secure" because it has few users and little value as a target."
This discussion has been archived. No new comments can be posted.

Silent Circle's Blackphone Exploited at Def Con

Comments Filter:
  • by bill_mcgonigle (4333) * on Sunday August 10, 2014 @12:39PM (#47642307) Homepage Journal

    Blackphone is the "you can't look at it, but trust us" self-proclaimed "security" company, right? And it's easily exploitable?

    Dog-bites-man story.

  • by Frankie70 (803801) on Sunday August 10, 2014 @12:42PM (#47642313)

    Hey BlackBerry idiots, stop miss quoting me on your blogs.

    Misquoting Justin, misquoting. Not miss quoting.

    • by Anonymous Coward
      That's what she said. (Do you see what I did there?)
  • How it affects Blackberry that an Android-based OS focused on security and privacy have some vulnerabilities? Is not BB10 OS based, even having an emulation layer that enables it to run Android programs. They could as well talk about iOS or Windows Phone users too. Even Tizen (that at least run Linux as Android) would be more related to this than Blackberry.
  • I read somewhere else that the remaining vulnerability involved "plugging the phone into a PC". A modified charger might exploit the vulnerability equally well, and it already sounds a lot worse than requiring my direct consent.

    For some people (upper management, dissidents and the like), secure communication is not sufficient, they also need the phone to remain secure if it is lost or stolen. If having posession of the phone is the only thing that stands in the way of rooting it using this exploit, it
    • by ledow (319597) on Sunday August 10, 2014 @01:47PM (#47642613) Homepage

      Physical access to any electronic device is basically an avenue for compromise. You really can't avoid it - at that point, it's no longer a question of "is the device secure?" as "is is STILL secure"... the only factors are how long it's out of your possession and how many obstacles are in the way of compromising it.

      Same as anything with computers - physical access to the machine means it's game over. This applies for everything from games consoles to dvd players to phones to DRM schemes to "secure boot".

      Physical access is game over. If you're lucky, you've used perfect forward secrecy and implemented it perfectly and know the device is missing and immediately blacklist it from your systems. Anything else (like real-life) is a security hole.

      • The only factors are how long it's out of your possession and how many obstacles are in the way of compromising it.

        Exactly. So in order to secure your phone, you want to throw as many obstacles in the path of the thief as possible.
        PIN lock? Good.
        PIN lock w/ 3 attempts and automatic wipe after? Better.
        Automatic wipe if the phone has not been unlocked in a certain period of time? Even better.
        Allowing unlock after a certain amount of time only if the phone can contact a certain server (so it can receive and a remote wipe command if one was issued)? Better still.
        Data-at-rest is encrypted? It better be.

        To get p

        • by GuB-42 (2483988)

          You have to balance things somehow. I'm not sure many people will want their phone to be wiped just because someone looks at it funny.
          If you make it easy to inadvertantly wipe data, you also need to have easy to access backups and these can be a security issue in their own right.

          • by Dishevel (1105119)
            I would be fine with that. As long as there is a central server I can get my data back from.

            Shit have my phone back up every day at 11:30 PM, Wipe at 2 AM. Restore at 5 AM.

            Fine by me.

            • by GuB-42 (2483988)

              Yes, auto-backup-restore from a central server is the obvious solution.
              However you have to do it properly, or else, it will become the weak point. You have to be careful of packet sniffing and man-in-the-middle attacks. Your server can be attacked too. And the more convinient you make your backups, the less secure they tend to be.

              I think that the best compromise to turn on full disk encryption and that in case of anomaly (such as too many failed unlocks) the phone shuts down. Properly encrypted data are alm

      • by Dishevel (1105119)
        Yes. But what you do not want is to have physical access to the device means "Game over" in 5 minutes or less.
  • by Anonymous Coward

    Yeah sure. I'm sure BB has very little value as a target, not when some of the most high profile people in the world uses it that has wealth and power greater than every other person in the world with any other phone combined.

    Makes me wonder where he's been living under all these time.

    • It was a Twitter post - so I imagine he spent roughly one second thinking about it before typing that.

      But I realize it's hard to not overreact or take stuff like that personally when there are only a half-dozen of you Blackberry users left in the world.

      • What's the point about the market share? A company can be healthy and profitable without being the market leader, suffice to have a niche market share composed of wealthy customers ready to pay premium for products designed for their needs. Note, I am not saying BB is that, what I am saying is refraining about the market share size of a company is a false argument without the context.

        In fact, BB's error was probably just that, go after the whole market and introduce multiple products, including low-end prod

    • by Luckyo (1726890)

      He's living in a world where he's marketing his services to companies that sell to those masses. Not those few.

      Professionals who handle security for those few don't advertise their work like this.

  • by Kenja (541830) on Sunday August 10, 2014 @01:41PM (#47642575)
    It's inherent in how they work. Rather then trying to secure them, which I don't think can be done, just start assuming they are insecure and treat them as such. Don't hold a private, personal conversation in a crowded public room and don't send text messages you don't want other people to see.
    • by ledow (319597)

      I think that's pessimistic. That might be how they work NOW but there's no reason that an end-to-end secure cellphone network cannot exist.

      Security of the conversation is basically guaranteed using TLS etc. Provide a certificate to your contacts, instead of a phone number. That certificate can encrypt communications to yourself so only you can decrypt them.

      The biggest problem is routing, but that's something that can be layered over using the data network facilities and software like Tor.

      The problems all

      • no reason that an end-to-end secure cellphone network cannot exist.

        The problem is, you will never, EVER control every single bit & atom along the signal path between your vocal cords and the recipient's ear. Without PKI, you're vulnerable to MITM. With PKI, you're vulnerable to compromise of the PKI infrastructure itself. Or compromise to the layer that enforces PKI's use. The best you can ever really hope for is to eliminate enough failure points to at least NOTICE the possibility that your communication might be getting intercepted or compromised.

        Is absolute security

  • they've tried everything else, why not that?

  • Nevertheless, this only further proves you cannot add layers of security on top of an underlying platform with security vulnerabilities.

    Okay. And when will an underlying platform without security vulnerabilities be ready - phone or otherwise?

  • Company says something is 'secure', gets proven wrong. This is *exciting stuff*, people!
  • by mrkoot (699253) on Sunday August 10, 2014 @02:29PM (#47642843)
    Silent Circle's response part 1 [medium.com]:

    Blackphone rooted at DefconâS -- Part 1

    Greetings from Def Con! Thus far Team Blackphone has been having a very positive Con. We have been receiving a lot of positive feedback and praise for taking on the flag of building and maintaining a secure and private smartphone system. This was a challenge that we knew full well would not be easy, but if it were easy then anyone could do it.

    The researcher @TeamAndIRC was a little miffed at our initial response to his inquiry and I understand his point. In response, he had a t-shirt made that stated he rooted the Blackphone at Def Con. The ironic part to this is I would have absolutely gone over and made that t-shirt for him myself once the full vulnerability was explained. @TeamAndIRC and I had a chat here at Def Con. I would like to thank him for not blowing the issue out of proportion and going back to the twittersphere for a little more transparency by explaining that direct user interaction is required and that we had already patched one of the vulnerabilities through the OTA update.

    According to @TeamAndIRC there were three issues discovered. The first one is that he was able to get ADB turned on. Turning ADB on is not a vulnerability as this is part of the Android operating system. We turned ADB off because it causes a software bug and potentially impacts the user experience, a patch is forthcoming. His second discovery is accurate and here is the point I want to stress to the community. We found this vulnerability on July 30, had the patch in QA on July 31, and the OTA update released on August 1. That is pretty fast, no?

    When @TeamAndIRC details the third vulnerability today at Def Con around 2pm PST we will be on the floor. We will get the details, and feel confident that we will have the system patched just as fast as last time. That is our commitment to the community â" to close the threat window faster than any other OEM. So, for now stay tuned as we will have an update later today.

    Sincerely,

    Dan Ford, D.Sc. (@netsecrex)
    Chief Security Officer
    SGP Technologies

  • the Moto X from Verizon version 4.4.2?

    there are a lot of locked bootloaders out there that so far don't seem to be breached.

I judge a religion as being good or bad based on whether its adherents become better people as a result of practicing it. - Joe Mullally, computer salesman

Working...