“Nothing is True, Everything is Permitted”– seem familiar with this line? If no, well this is what happened to the so called “Surveillance Proof” Blackphone when it got hacked as soon as it stepped into the Def Con Hacker Conference, 2014, going on in Las Vegas. For those who don’t know what Blackphone is, it is a collaboration between security firm Silent Circle and Geeksphone to make a smartphone running the firm’s custom PrivatOS, which it touted as “the phone no-one has dared to make yet”.
The Blackphone is centered around privacy, and the company is keen to point out that while Google’s Android mobile operating system is at its core, it’s much more secure than the present influx of smartphones running Android. This is fortunate, based on the latest Android security statistics, which reveal that it is the target for 98 percent of all mobile malware.
Hacker Jon “Justin Case” Sawyer, who is known as @TeamAndIRC, claimed to find three vulnerabilities and hack the phone on three separate occasions to gain root access, announcing his findings on Twitter.
“Black phone hack #1, USB debugging/dev menu removed, open via targeted intent”
Blackphone’s CSO Dan Ford responded to @TeamAndIRC in a blog post and said that he didn’t consider the debugging attack to be a vulnerability because the Android Debugging Bridge is part of Android.
“In the final days before manufacture, a bug was found with ADB on the Blackphones which could throw the phone into a boot loop when full device encryption was turned on,” Ford explained.
“Rather than miss the manufacturing window or cause user grief, the developer menu was turned off. Disabling ADB is not a security measure, and was never meant to be?-?it will be returning in an OTA to Blackphone in the future once the boot bug is resolved; the realities of getting a product manufactured and shipped within the available manufacturing window meant a quick fix was needed.”
Ford added that no root or other privilege escalation was required in order to perform this.
But @TeamAndIRC went ahead and did it again via what he claimed was a “remotewipe app” running as system, which he said “is debuggable, attach debugger get free system shell”.
However, Blackphone insisted that the hacks @TeamAndIRC found require user consent, as the vulnerabilities he found are not exploitable via a drive-by-download or other remote activities and will further require intentional user interaction.
“We are under the impression that this vulnerability affects many OEMs and not just Blackphone. When the vulnerability becomes public, we will implement the fix faster than any other OEM,” Ford responded.
“This would mean the user lost physical control of their Blackphone or they wanted to walk around with an exploitable smartphone. Nonetheless, we have a vulnerability and it is important to Blackphone to resolve this vulnerability fast.”
The third and final vulnerability @TeamAndIRC found he was not willing to discuss, but described it as “system user to root, many available”.
“I would like to thank him for not blowing the issue out of proportion and going back to the twittersphere for a little more transparency by explaining that direct user interaction is required and that we had already patched one of the vulnerabilities through the OTA update,” Ford added.
As a fun fact when someone from the Blackphone’s table handed him a T-Shirt(as they don’t have Bug Bounty Program) for the hacks he reported Sawyer refused to take the shirt and said he already got a T-shirt when he bought the phone and modified it with his own message.
“The shirt was the most impressive part of the hack, considering I had it made in minutes,” Sawyer said. When Ford saw the shirt, Sawyer recounted, he laughed.