Regardless of how highly rated a device may be in terms of security, vulnerabilities always surface. That's the...
message of new blog posts detailing how Blackphone-maker Silent Circle patched a critical modem flaw in order to prevent phone hijacking.
The vulnerability was found by SentinelOne in the Icera modem made by Nvidia. According to a blog post by Tim Strazzere, director of mobile research at SentinelOne, a socket was left open and accessible on the Blackphone 1. This could allow commands to be sent to the device modem and give an attacker the ability to send or receive short message services (SMSes), dial or connect phone calls, reset access point name, short message service center or power settings, kill the modem and more.
"The vulnerability, once you understand how it works and where to look, is relatively easy to exploit," Strazzere told SearchSecurity. "As for how attackers could leverage it, they would need to get code execution on the device, which could be via a malicious application that exploits the vulnerability in the background."
Strazzere said the phone hijacking vulnerability was even more dangerous because users might not have realized they were installing an app that could exploit the flaw.
"Typically, if an application wants to send an SMS, it must request use of this permission. Upon installation, the user would see the request and could reject it if they choose [to] do so. If a user attempts to install a flashlight app that asks to send SMS, hopefully they will decline," Strazzere said. "However, with this type of vulnerability, a user would not be presented with a request for an inappropriate (malicious) permission like sending SMS by a flashlight app, and would install the application, since it seems normal. An attacker then could use this vulnerability to send SMS, make phone calls or any of the other types of functions outlined in the blog."
Blackphone-maker Silent Circle confirmed the phone hijacking vulnerability affects only the first-generation Blackphone -- not the Blackphone 2 -- and has been patched in software version 1.1.13 RC3, which was originally released on Dec. 7, 2015. Silent Circle advised that any Blackphone 1 users running software 1.1.13 RC2 or lower should update immediately.
Strazzere said the experience of submitting this bug proved to him how seriously Silent Circle takes security. SentinelOne first reported the bug at the end of August; by the end of September, the bug submission was accepted; the issue was marked as resolved by the beginning of November; and the patch to fix hijacked phones was released in early December.
"Working with Silent Circle through their bug bounty program via Bugcrowd was an excellent experience. Silent Circle contacted me regularly with updates and thanked me multiple times," Strazzere said. "The [Silent Circle] CSO, Dan Ford, even reached out to me personally to ensure the process was going well and to ask how I felt about their response. I was pleased to learn that security is as important to them as it is to us at SentinelOne."
Read about how black markets have outbid IT companies for exploit disclosures.