New Blackphone 1 Vulnerability Highlights Continued Challenges In Mobile Security
After being heralded as one of the most secure options when it comes to mobile devices, new research out this week reveals a vulnerability in Silent Circle's Blackphone 1.
The Blackphone is billed as one of the most secure phones on the market, featuring encrypted phone calls, communications, browsing and more under adapted Android operating system PrivateOS.
The vulnerability, which was discovered by security researchers at SentinelOne, could allow an attacker to send commands to the phone’s modem through an open socket path. If exploited, a hacker could send and receive text messages, dial or connect calls, check state of phone calls, reset settings, force conference calls, mute the modem speaker, change caller ID settings, kill the modem, find neighboring cell towers and silently register a call forwarding number, according to a blog post about the vulnerability.
[Related: Behind The Blackphone: The Future Of Mobile Security?]
The blog did not say if the vulnerability had been exploited. In an email to CRN, Tim Strazzere, director of mobile research at SentinelOne, said he classified the vulnerability as ’medium’ to ’high’ in severity, saying it is not ’high to critical’ because it cannot be remotely executed. While he said he didn’t think it called into question the overall security of the Blackphone, Strazzere said the vulnerability finding highlights the fact that no manufacturer is exempt from security flaws.
’Even the most ardent manufacturers who pride themselves on security fall victim to vulnerabilities. It’s a reality we must face within the security industry, as well as within the manufacturing community to ensure we maintain diligence when it comes to development practices,’ Strazzere said.
SentinelOne said it notified Silent Circle, the company that owns Blackphone maker SGP Technologies, of the vulnerability. Silent Circle has already released a patch for the problem.
When asked by CRN for comment, a Silent Circle spokesperson pointed CRN to a blog post about the vulnerability finding. The blog thanked SentinelOne for finding the vulnerability, adding that such vulnerabilities are ’inevitable,’ but that the smartphone company would work to correct any found as quickly as possible.
"We patch vulnerabilities and give credit where credit is due. For you see, in most cases product security depreciates faster than taking a new car off the car lot. In order to keep the value from depreciating too quickly you must provide careful and consistent maintenance. We take pride in maintaining the security of all our products and will continue to do so," the blog said.
The vulnerability finding fits into a larger growing narrative around mobile security challenges. Consumers are becoming more aware and basing more of their mobile decision-making around security, a study by Accenture found earlier this week. According to the study, which surveyed 28,000 consumers, 24 percent of people would delay buying an IoT device because of security concerns. Another 18 percent said they had stopped using an IoT device they already owned because of security concerns, while more than twice as many -- 37 percent -- said they were ’cautious’ when using those types of devices.
’The degree to which [security] has been an underlying issue, or a potential issue for consumers has really come to the fore,’ John Curran, managing director of Accenture’s Communications, Media and Technology practice, said.
Curran said the shift in focus by consumers signals a need for manufacturers to be more transparent around data security and privacy, as well as communicate better as to what is being done for client security.
SentinelOne's Strazzere agreed, saying that the implications of the Blackphone 1 vulnerability findings are ’significant,’ especially as mobile devices gain functionality such as mobile payments.
["More of] these mobile devices [need to] be equipped with security that can protect against advanced attacks. Few devices today are deployed with endpoint security technologies that can protect against exploit-based attacks, or sophisticated malware-based attacks,’ Strazzere said.