‘Super-Secure’ BlackPhone
January 28th, 2015Your what hurts?
Via: Register:
The maker of BlackPhone – a mobile marketed as offering unusually high levels of security – has patched a critical vulnerability that allows hackers to run malicious code on the handsets.
Attackers need little more than a phone number to send a message that can compromise the devices via the Silent Text application.
The impact of the flaw is troubling because BlackPhone attracts what hackers see as high-value victims: those willing to invest AU$765 (£415, $630) in a phone that claims to put security above form and features may well have valuable calls and texts to hide from eavesdroppers.
Mark Dowd (@mdowd), noted Sydney-based hacker and co-founder of security consultancy Azimuth Security, discovered the flaw during casual research in the latter months of 2014. He shared his findings with The Register while the fix – due to be disclosed today – was being developed.
“Successful exploitation can yield remote code execution with the privileges of the Silent Text application, which runs as a regular Android app, but with some additional system privileges required to perform its SMS-like functionality such as access to contacts, access to location information, the ability to write to external storage, and of course net access,” Dowd said, noting the bug took him about a week to find.
The flaw could also be coupled with a privilege-escalation exploit to gain full control of the vulnerable device, but this was not required to run arbitrary code as an unprivileged user.
Well, I have one, and satisfied with it. My first smartphone. I obviously didn’t expect it to be perfect nor 100% safe…neither do they claim it to be 100%…but apart from the $3500 Cryptophone…I don’t see other choices. Everything can be hacked, so better to have something with a few more layers of security on it…