BlackPhone, In Wake of Gemalto Fallout, Receives $50 Million In Funding

An anonymous reader writes The BlackPhone, a $600-plus encrypted Android handset designed to keep the prying eyes of criminals and the government out of mobile communications, is now fully owned by Silent Circle thanks to the company raking in investment cash. Terms of the buyout deal with Spanish smartphone maker Geeksphone, the phone's hardware manufacturer, were not disclosed. Silent Circle said Thursday that it has raised $50 million and plans on showing off an encrypted 'enterprise privacy ecosystem' at World Mobile Congress next week. A BlackPhone tablet is on the way, too.

NSA involvement ?

[Alain Williams]

I have to ask: is there secret NSA involvement in this ? An inside man who will put a couple of back-doors in the 'phone.

I have absolutely no knowledge that this is the case, but the NSA certainly has the resources & motivation to do so. It seems to have done this sort of thing in the past.

Re:

[chihowa]

Silent Circle was partially founded by Philip Zimmermann, so that's supposed to lend some credibility to the operation. The company, and PZ in general, still operate on the premise that trust in them should be enough for anybody, so the operation will be opaque and the source closed.

I really respect a lot of what Zimmermann has done, but we're finding out more and more that our trust in institutions was ill placed. I don't think his model works in our current world. Finding out in twenty years that Silent C

Re:

[Alain Williams]

Zimmermann might well be good and honest ... but how well does he know the people who he will employ to help him ? What if one of them has a problem: financial/drugs/marital/... that allows the NSA to put pressure on them (''help them out of their sticky situation'') in return for ''something that is in the best interests of the USA'' ?

In mitigation: they do publish their source code for review [silentcircle.com]. I don't know how easy it is to check that that is what is installed on the phone that you buy.

Re:

[aaarrrgggh]

Sure... Publish the software. What the hell, publish the firmware too. You could even publish the schematics for all the chips.

How would you as an end user validate that the nefarious bits aren't actually in the chips, transparently altering the firmware and bypassing protections in software.

Sadly we are in a post-trust mode now. Nothing can be trusted no matter the source or your due diligence. It starts to feel a lot like the secret police watching your every move.

Just to make things interesting, you a

Great, fully owned by Silent Circle

[viperidaenz]

A company with offices in USA, under the jurisdiction of the FBI's NSL's

Re: Great, fully owned by Silent Circle

[Anonymous Coward]

A company whose headquarters are in Geneva and complying with any secret order would violate Swiss constitution and make executives personally liable with guaranteed jail time.

Re: Great, fully owned by Silent Circle

[Anonymous Coward]

Look up crypto ag. Switzerland can easily be buLlied.

Re: Great, fully owned by Silent Circle

[Anonymous Coward]

Hardly easy and a great source of PR from a company perspective if they refuse to comply with orders. You need to read machiavelli. How fantastic for sales would it be if you're the only company that's proven to tell the US to fuck off.

Also note Zimmermann's involvement. The guy who stood up to the US in the 90s. These guys will go to jail before being bullied. No backdoor is their only right to exist.

Re: Great, fully owned by Silent Circle

[IamTheRealMike]

The issue with Silent Circle isn't their jurisdiction. It's that their code is of deeply questionable quality. They recently had a remote code execution exploit that could be triggered just by sending a text message to their phone. It's been literally years since one of these affected mainstream software stacks, so how was that possible?

Well, they wrote their own SMS parsing code, in C, and used JSON to wrap binary encrypted messages [azimuthsecurity.com] and there was a bug that could cause memory corruption when the JSON wasn't exactly in the form they expected.

The amount of fail in that sentence is just amazing. They're a company which justifies its entire existence with security, writing software to run on a smartphone where the OS itself is written in a memory safe language (Java) and yet they are parsing overly complex data structures off the wire ..... in C. That isn't just taking risks, that's playing Russian roulette over and over again. And eventually it killed them. Remote code execution via SMS - ye gods.

After learning about that exploit and more to the point, why it occurred, I will strongly recommend against using Silent Circle for anything. Nobody serious about security should be handling potentially malicious data structures in C, especially not when the rest of the text messaging app is written in Java. That's just crazy.

Re:

[fustakrakich]

Remote code execution via SMS - ye gods.

By itself, it's bad enough, but how it got past 'the crowd' is the issue to study.

I bought the fully encrypted phone

[invictusvoyd]

and then installed this funny app which makes fart sounds . It asked for pemissions to my storage ,camera , mic , browser and girlfriend .

Re:

[Anonymous Coward]

You need an app for that?

Re:

[invictusvoyd]

i'm not as flatulent as u

Re:

[linkdude64]

...and girlfriend .

Don't you already operate the phone with your hand? I kid, you make a valid and important point.

Re:

[itzly]

Don't you already operate the phone with your hand?

Most people have more than the average number of hands.

Re: Why is this a thing?

[Anonymous Coward]

Why is redhat a thing? I mean Linux is free right? How could anything free have value in an enterprise setting?

Simply put it has value because it does a lot more than a cyanogen phone (this is being typed on one). Blackstone is far more hardened and setup for enterprise rollout with the appropriate integration and support. The security center is also a lot more advanced than the one on cyanogen.

Re: Why is this a thing?

[Anonymous Coward]

The problem with android phones is that you can't secure them fully. Period. There is no way. The baseband is a mysterious black box chip that has shared access to the system RAM and nothing short of a fully open source implementation of LTE or GSM or whatever will fix that.

The black phone sequesters the baseband and only powers it up when it's being used.

There is no way to achieve that with even the most tin foil totting custom ROM on a standard handset.

Re:

[bulled]

The problem with all phones is that you can't secure them fully. Period. There is no way. The baseband is a mysterious black box chip that has shared access to the system RAM and nothing short of a fully open source implementation of LTE or GSM or whatever will fix that.

The black phone sequesters the baseband and only powers it up when it's being used.

There is no way to achieve that with even the most tin foil totting custom ROM on a standard handset.

FTFY

Re:

[Damarkus13]

If the baseband is powered down all the time, how do you receive phone calls?

Re:

[Anonymous Coward]

It's not that they are doing something that you can't do yourself, it's that they've done it for you so that you don't have to.

Re:

[mlts]

Since the SoC functions are still a black box, I rather just go with a ROM on a moddable handset like the HTC One M8 with XPrivacy installed, where even if a basic fleshlight app demanded every priv under the sun, it won't get it. When it comes to phones, having the ability to block apps from phoning home is a major security feature.

Even better, why can't a company work on virtualization on a handset? That way, one can have a VM for web browsing, one for work stuff, one for home/personal, and one for clie

What *is* their market?

[msobkow]

Given that iOS and Android can and do encrypt user data now, and that web device communications encryption is largely a question of whether a site uses SSL/HTTPS, what is the distinguishing feature of these phones that would make them marketable?

To me it looks like pure marketing hype, not a real benefit compared to other devices now that they've started using encryption.

Re: What *is* their market?

[bsDaemon]

End to end encrypted communications and the concept of circle of trust. The original creator of PGP is involved, but this product seems to be much easier to operate (although they still haven't fixed the problem of me convincing friends or family to also want one, therefor justifying my purchase as a personal device. They are therefor the BlackBerry of the Android world)

How to determine a phone's security

[Demonoid-Penguin]

Proportional to the number of forum flooding (trolling and stupid questions) : relevant posts ratio (?)

baseband?

[wbr1]

Unless and until baseband code/chip is open, you will never fully know what the phone leaks. Ever.

False sense of security

[Macfox]

This phone might be suitable for thwarting most criminals, however it would be susceptible to OTA attacks against the baseband (blackbox), which is now even more easily done with the compromised SIM private keys.

A gift to intelligence service middle management?

[Limekiller42]

If I'm running a nation-state intelligence service unit devoted to mobile device intelligence gathering, I'm thinking BlackPhone is pretty awesome if it gets a solid adoption rate of people who are concerned about privacy. I'm going to get a pretty large subset of people who I probably want to spy on in the first place standardizing on a particular platform where I just need to develop one or two decent exploits. It allows me to concentrate my team's efforts on a much narrower technological problem than be

Re:Who's chips do they use?

[Anne Thwacks]

Given that the SIM is supplied by the carrier, and we don't know where our carrier gets his SIMs, - they probably all get them from the same place, we are all fucked.

If you have a secret, I do not recommed using a mobile phone to discuss it.

Or indeed, telling anyone about it at all.

Re:

[aaarrrgggh]

Or writing it down anywhere... or thinking about it.

Re:

[F.Ultra]

Isn't Blackphone to Blackphone voice and messingen supposed to be end to end encrypted? If so then it doesn't matter that the NSA has access to the GSM encryption code from the SIM since the phone encrypts the data before it is encrypted by the SIM.

Mobile Devices Are Spy Devices

[Limekiller42]

The fundamental truth of our time when it comes to mobile devices is that they are spy devices. It's a device that had a camera, microphone, GPS abilities, and we frequently use to communicate our most private thoughts with other people. If you want true privacy for particular content, don't use a mobile device.

Criminals Intercepting My Phone

[MissNoItAll]

Gosh, I thought digital cell phone voice packets ARE encrypted? What case has occurred where criminals have listened to cell phone voice calls? OK, OK, that leaves the NSA and of course no other foreign governments (which we all know, aren't listening). Given all of this to be true, how can we complain when we now know we can pick up our phone and speak directly to someone in the NSA? For this, we can thank Mr. Snowden and I would sorely miss this feature if I bought some super phone that only those desp