Blackphone and Silent Circle have patched a serious vulnerability in Silent Text, the messaging application bundled with the smartphone that’s marketed as secure and surveillance resistant.
Mark Dowd, a prominent security researcher and founder of Azimuth Security, on Tuesday disclosed details of the vulnerability, which he said could allow an attacker to remotely own the Blackphone having only to know the target’s Silent Circle ID number or phone number.
Dowd said the vulnerability allowed hackers to remotely decrypt messages, learn a target’s location information, steal contact information, write to external storage, or even run code in order to root the Blackphone.
“If exploited successfully, this flaw could be used to gain remote arbitrary code execution on the target’s handset,” Dowd said. “The code run by the attacker will have the privileges of the messaging application, which is a standard Android application with some additional privileges.”
Silent Text is an encrypted chat/messaging application that is also available for the iPhone or as a standalone Android application. Dowd explained that the Silent Circle Instant Message Protocol (SCIMP), which establishes and manages the encrypted channel over which messages are sent, contains a type confusion vulnerability. An attacker, he said, can overwrite a pointer in memory which can be used to control the phone without the need for authentication.
Dowd goes into great detail about the vulnerability and provides code samples illustrating the issue. He pins the blame specifically on the libscimp library which is used as part of the cryptographic implementation in the app.
The Blackphone is one of the privacy innovations that took off in the wake of the Snowden revelations as users began looking for technological solutions that would keep their online communication away from prying eyes.
Silent Text was updated last May with enhancements to SCIMP that allow messages to be sent securely without both parties being present on the network simultaneously.
“Ideally you should be able to start sending secure messages without waiting for the recipient to respond, but without sacrificing the same level of security and end to end encryption provided by the key exchange that we employ our current product,” said Silent Circle co-founder Vinnie Moscaritolo. The solution Silent Circle came up with is called Progressive Encryption which combines private and ephemeral key agreement protocols.
In August during the annual DEF CON hacker conference, a researcher figured out a way to root the Blackphone under extraordinary circumstances, a hack the researcher said is not applicable in the real world.
Shortly after the DEF CON fiasco, Blackphone and Silent Circle initiated a formal bug bounty program using the Bugcrowd platform. Users were challenged to find vulnerabilities in the smartphone’s PrivatOS operating system, update servers and Web portals, with a minimum $128 bounty waiting; CISO Dan Ford said at the time that there was no ceiling on bounties.