The ‘Blackphone’ – Is it NSA Proof?

Written by:

When the NSA develops a phone they are most likely heading for an end goal of a phone that’s so secure the average hacker or person devious affairs (like big brother at from the NSA) could not intercept the communications coming from the phone.

Well here it is, “Blackphone”, The upmost secure and NSA-proof phone titles as, “world’s first Smartphone which places privacy and control directly in the hands of its users.” Unfortunately the phone was rooted in 5 minutes at the BlackHat security conference in Las Vegas at the beginning of August.

Blackphone is a joint venture between two different companies, the first being Silent Circle who is an encrypted communications firm and secondly a Spanish Company smartphone maker called Geeksphone.  The two companies together built a fully customized version of Android known as PrivatOS which came along with pre-installed a variety of privacy-enabled applications at a customer level but offering the peace of mind when it came to the secure encrypted level of a communications and then some that end user expected to have.

A security researcher with the twitter handle @TeamAndIRC took just a brief 5 minutes to gain root access to the Blackphone without needing to unlock the device’ bootloader.  But the hacker took to twitter to mock the Blackphones tweet with the following statement

“It is apparent no one ran CTS [compatibility test suite] on this device.”

The promised and anticipated “secure” Android phone that was promising security but in fact a suite of secure services that run on top of Android Open Source Project. BlackBerry dubbed it as “Consumer-Grade Privacy That’s Inadequate for Businesses.”

The researcher has highlighted three hacks in his Twitter account identifies as follows:

• USB debugging/dev menu removed, open via targeted intent
• Remotewipe app runs as system, and is debuggable, attach debugger get free system shell
• System user to root, many available

The researcher then backtracked on one of his claims because it happened on an unpatched version of Android, and noting that the second attack required user interaction.

But according to Chief Security Officer at Medium, Dan Ford, the debugging attack is not a vulnerability as the Android Debugging Bridge is a part of Android itself.

“We turned ADB off because it causes a software bug and potentially impacts the user experience, a patch is forthcoming,” Ford says in a blog post. “I would like to thank him for not blowing the issue out of proportion and going back to the twittersphere for a little more transparency by explaining that direct user interaction is required and that we had already patched one of the vulnerabilities through the OTA update.”

The details of the debugging attack haven’t been released to the public, but Ford promises in the future a patch to come to fix these and some other bug fixes currently still effecting the phone from wide release

We have found one of the vulnerabilities has already been patched and the other is only exploitable with direct user consent, so its not going to cause any harm to Blackphone users. Though it is quite ironic that the Blackphone team built the suite on top of Android which was never intended on being set up and designed for super-secure communications.

The phone however does look pretty promising in a world where secure communications is not just something for those in power but for everyday people who need to have their personal privacy protected from all types of attacks against our phones which carry more data about our lives that could potentially come to haunt us.

Link: Hide your identity and surf anonymously on your smartphone, laptop & mobile devices and protect yourself from hackers

_____________________________________________________________

Sources:

http://www.huffingtonpost.com/2014/01/15/blackphone-nsa-proof-smartphone_n_4603236.html

http://mashable.com/2014/01/15/blackphone/

http://www.ibtimes.com/prism-proof-your-smartphone-10-apps-keep-nsa-out-your-phone-1321085