If ever there was a hacking story screaming for clarity, it’s the Blackphone saga that unfolded during DEF CON.
First off, yes, the device was rooted by a researcher who goes by the handle Justin Case (@TeamandIRC on Twitter)—but not in five minutes as has been previously reported. Yes, it requires that an extraordinary set of circumstances be in place to get root on the secure phone, circumstances that go against the grain of any user interested enough in privacy to invest $629 to buy a Blackphone. Yes, two of the three vulnerabilities in question have been, or will be, patched shortly. The third has yet to be disclosed but requires elevated privileges on the phone.
And no, Blackphone isn’t broken beyond all recognition.
“This hack is not applicable in real-world situations,” Case told Threatpost. “You would have to find the super rare Blackphone user who doesn’t update, doesn’t encrypt, steal their phone, beat their PIN out of them, then have the know-how and tools to exploit it.”
Blackphone is marketed as a secure-by-design mobile phone with its custom PrivatOS operating system and security applications built atop Android. Built by the makers of Silent Circle and Geeksphone, Blackphone includes a suite of security applications including Silent Call, Silent Text, SpiderOak secure storage and more.
Case began posting on Saturday via his Twitter account that the Blackphone was about to fall at DEF CON, that he’d managed to get root access to the device and turn on the Android Debug Bridge (ADB) without unlocking the bootloader. He had chained together three vulnerabilities to do so, and in the process tossed a bucket of cold water on the supposedly secure phone.
— Justin Case (@TeamAndIRC) August 9, 2014
Case disclosed to SGP Technologies, which quickly countered that the ADB bug was not a vulnerability, and that it had been turned off because it triggered a bug that would have delayed delivery to the manufacturer. CSO Dan Ford wrote in a blog post that a patch is being developed.
“In the final days before manufacture, a bug was found with ADB on the Blackphones which could throw the phone into a boot loop when full device encryption was turned on,” Ford wrote. “Rather than miss the manufacturing window or cause user grief, the developer menu was turned off. Disabling ADB is not a security measure, and was never meant to be — it will be returning in an OTA [over-the-air update] to Blackphone in the future once the boot bug is resolved.”
The second issue, a vulnerability in PrivatOS, had already been patched. The vulnerabilities were independently discovered, Case said, and was patched within 24 hours of discovery in an over-the-air update on Aug. 1. The second bug, Ford wrote, was found in PrivatOS 1.0.1 where a remote wipe system file was set to debug. “If a malicious app were to be installed on the Blackphone then this would allow for privilege escalation,” Ford wrote.
Case confirmed to Threatpost that the Blackphone he used had been in the box and had not been updated because he did not trust the DEF CON Wi-Fi network. He said that exploiting the first two issues requires physical access to the Blackphone, and the third requires execution as a highly privileged user, from system to root; Case has not disclosed details on the third vulnerability.
“It elevates from system to root (a very small step; system is almost as good as root),” Case said, hinting that it could affect other OSes beyond Android. “[It’s] extremely hard to hit, utterly impractical for real attacks. [It] requires at least two other vulns to use. No idea on who it affects, hence why it wasn’t disclosed. This is hardly a concern, as you are already highly escalated at this point.”
Ford wrote that Case told him any exploits required physical interaction from the user and were not remotely exploitable via drive-by downloads or other similar remote exploits.
“We pride ourselves on being able to provide a quick turnaround to security problems,” Ford said. “We control the complete OTA process and are able to fix issues as soon as they are disclosed, if they haven’t been pre-emptively fixed.”
Case, meanwhile, pointed out that Blackphone’s native Android build attracts security researchers such as himself, minimizing the potential impact of vulnerabilities.
“Big ecosystems attract big attention,” Case said. “[Blackphone] could not have chosen a better starting point than Android. There is a reason you see so much NSA-level attention to it recently.”