The privacy-focused Blackphone has been cracked by a security researcher at the Def Con hacking conference in Las Vegas, though the exploits require physical access.
Released in February, the Blackphone is a joint venture between GeeksPhone and Silent Circle to create an Android-based smartphone capable of encrypting phone calls, emails, texts and Internet browsing.
The phone was designed to offer customers a surveillance-immune method of communication in the wake of Edward Snowden’s revelation about the NSA’s mass data-collection program, but at the security conference yesterday a security researcher going by the Twitter handle @TeamAndIRC revealed three vulnerabilities found with the device on the micro-blogging site.
Dan Ford, chief security officer of the device's makers SGP Technologies, took to his blog to defend the product pointing saying he doesn’t consider the first exploit a vulnerability, the second had already been patched earlier this month, and the final exploit was not fully disclosed.
“In general, @TeamAndIRC accurately described that in order to exploit any of the above-mentioned vulnerabilities the end-user would require physical access to the device and then to perform the exploit,” he wrote.
“@TeamAndIRC explained that these vulnerabilities are not exploitable via a drive-by-download or other remote activities and will further require intentional user interaction.
“This would mean the user lost physical control of their Blackphone or they wanted to walk around with an exploitable smartphone. Nonetheless, we have a vulnerability and it is important to Blackphone to resolve this vulnerability fast.”
The first vulnerability saw @TeamAndIRC gain root access to the device by using the Android Debugging Bridge (ADB), but the exploit would require user intent and physical access to the device.
“Turning ADB on is not a vulnerability as this is part of the Android operating system,” he wrote. “We turned ADB off because it causes a software bug and potentially impacts the user experience, a patch is forthcoming.”
The second vulnerability was found in a system file in version 1.0.1 of the phone’s Android-based PrivatOS operating system, but the bug had been fixed in version 1.0.2 of the software released on 1 August. According to Ford, the phones on sale at Def Con had already been shipped at the time the update was released and @TeamAndIRC.
The third vulnerability was not been fully disclosed, other than that there are multiple ways of exploiting it to gain root access.
“@TeamAndIRC was not willing to discuss this vulnerability at this time. We are under the impression that this vulnerability affects many OEMs and not just Blackphone” wrote Ford.
“When the vulnerability becomes public, we will implement the fix faster than any other OEM.”