Encrypted Blackphone Patches Serious Modem Flaw (threatpost.com) 27
msm1267 writes: Silent Circle, makers of the security and privacy focused Blackphone, have patched a vulnerability that could allow a malicious mobile application or remote attacker to access the device's modem and perform any number of actions. Researchers at SentinelOne discovered an open socket on the Blackphone that an attacker could abuse to intercept calls, set call forwarding, read SMS messages, mute the phone and more. Blackphone is marketed toward privacy-conscious users; it includes encrypted messaging apps such as SilentText and Silent Phone, and it runs on a customized, secure version of Android, called PrivatOS.
Baseband processors are the problem (Score:5, Interesting)
Baseband processors (aka modems) have been the greatest technical weakness in cellphones since the dawn of SIM cards. They operate independently of the primary CPU and still crash when fuzzed and yet still have DMA lines to your RAM. Perhaps the bigger problem is how absurdly complex the ever growing number of protocol standards there are for baseband processors.
Nvidia baseband source code was available (Score:5, Informative)
The exploit is not in the baseband; it is a local socket on the phone accessible by apps with no special privileges (as far as I can tell).
Phil Zimmerman gave a talk on the Blackphone at Defcon 22:
DEF CON 22 How To Get Phone Companies To Just Say No To Wiretapping [youtube.com]
I have transcribed this from the time 26:10 in the video:
26:10 Question from audience member:
Hi, so traditional phones are dependant on the baseband processor,
which has a whole lot of flaws depending on the protocols that they
are using. What are you doing to mitigate baseband processor factors?
Zimmerman:
Yeah, that is a good question. We had a meeting at Nvidia, because
Nvidia makes the chipsets that we are using for Blackphone.
And Nvidia had apparently aquired a company a while back that
made a baseband processor. It was built around a software defined
radio.
And I asked them that questiom; Can we do an independant security
review for the for firmware for the baseband processor.
And they said they would be open to that.
In fact, they were delighted to have a customer expressing interest
in really taking a close look at their baseband processor;
no other customer had ever brought up the question before.
You know, no other customer is as obsessive over it as we are.
I guess they should have spent some time looking at their own stuff rather than other people's code in this case.
Re: (Score:2)
Yeah, really. I would have thought that a product being advertised has having such comprehensive security would have each firmware release candidate thoroughly tested for such things under a variety of situations. Having missed an open port listening for traffic, even if it's only in the internal environment, doesn't give me a lot of confidence that there aren't other problems to be found.
Re: (Score:2)
How can they possibly be expected to keep up with the latest trends in user interface graphic design if they spend their resources on complex and time-consuming security reviews? We need to rev this sucker every 9-12 months with new GUI designs to keep it fresh and relevant. UI experts are finding new and improved ways to do familiar tasks based on the latest trends in all-white backgrounds, small type, big buttons and the latest in little spinning widgets that show you how hard your phone is working.
If w
Neo900 phone (Score:4, Interesting)
The Neo900.org phone deliberately uses a CPU that does not have a modem built into it. The modem is a separate chip, and there is a watchdog chip that instantly resets it if it tries to do anything when supposed to be off.
Re: (Score:2)
Its also physically impossible for anyone to remotely activate the microphone on the Neo900 or remotely steal audio (all audio that gets sent to the modem goes via the AP and some still-being-written open source userspace blobs (which I happen to be involved with in a limited way)
Re: (Score:3)
Its also physically impossible for anyone to remotely activate the microphone on the Neo900 or remotely steal audio
unless there is a switch that you have to manually flip to connect and disconnect the microphone, you don't understand what "physically impossible" actually means.
Re: Neo900 phone (Score:4, Interesting)
Reportedly they've gotten PayPal to cripple that project. [neo900.org]
Re: (Score:2)
Looks pretty much like someone thought that they'd be buying a phone and complained to PayPal when they didn't get one and then PayPal treat it like any old eBay auction dispute.
Re: (Score:2)
The Neo900.org phone deliberately uses a CPU that does not have a modem built into it. The modem is a separate chip
this is the case with almost all cellphones.
and there is a watchdog chip that instantly resets it if it tries to do anything when supposed to be off.
that's interesting but far from bullet-proof. the modem chip they are using, yep, made and programmed by gemalto. basically, it's security is only a smidgen better than every other cellphone on the market.
Re: (Score:2, Interesting)
From their FAQ:
http://neo900.org/faq
Isn't a non-free baseband firmware a privacy issue?
We're going to address privacy concerns of non-free modem firmware by ensuring that the modem has access to no more data than absolutely necessary, so it won't be able to spy on anything that's not already available on carrier side. On Neo900 one can be sure that the modem is actually turned off when requested, not just pretending to be. Users will be notified in case of the modem wanting to do something without their con
More at play? (Score:1)
From what I'm reading on their web post about the issue, it seems like there might be *ulterior motives* to PayPal blocking Neo900 from getting their funds to run business as usual.
Probably because the tech inside the phone (modem separated from CPU and cannot be remotely activated whatsoever) poses a real danger to surveillance efforts from the US government, at least.
This is, of course, all speculation with a dash of paranoia. Maybe it is just some technicality that will be resolved in short order.
Re: (Score:3)
Zero credibility.
Any competent University CS major programmer could have figured out this was a stupid fucking hole. They are clearly incompetent and should not be in the security industry.
Yeah... who the fuck does this Phil Zimmermann guy think he is?
Re: (Score:2)
Contrary to popular and Hollywood belief, security experts are no magical beings that can instantly and flawlessly identify every security hole a product could ever have. There is also the problem that no hacker has ever managed to hack into a system he himself secured. For obvious reasons: If he knew there was a flaw, he would have patched it first.