Vulnerability  Found in Blackphone’s SilentText App

The first phone from Silent Circle, Blackphone, totes itself as “the world’s first enterprise privacy platform” and is relying on the fact that people are willing to pay a premium for privacy. This is still a neiche market but Blackphone is betting on that neiche having the finances to afford a security-conscious option.
Despite Blackphone being a company with security at the fore-front of their mission, a  type confusion vulnerability was found in their text application, Silent Text. The vulnerability works whether the Silent Text application is installed on one of the company’s Blackphone devices or onto another device. The vulnerability could be exploited to do anything from simply eavesdrop by decrypting messages to actually executing malicious code.

The vulnerability was found and reported by Mark Dowd, an Azimuth Security consultant. It was first reported after giving time to Blackphone to patch the vulnerability. While the application is no longer susceptible to this attack it is unknown whether malicious parties were privy to the issue in time to take advantage of it.
In order to exploit the vulnerability all that was needed was the targets Silent Circle ID or their phone number. The type confusion occurs when the application is performing the JSON deserialization of the incoming Silent Circle Instant Messaging Protocol (SCIMP) message. This type confusion can be exploited to corrupt a pointer which can then be used to execute the attacker’s desired payload.

While the actual vulnerability was patched over a month ago the disclosure is still of interest as Silent Circle has recently acquired their partners stake in the project as well as an additional $50 million dollars in funding. It remains to be seen whether the market will support the company’s mission but the announcement of additional funding seems promising and it appears that their model for bug disclosure is working.
Article on the vulnerability:
http://arstechnica.com/security/2015/01/bug-in-ultra-secure-blackphone-let-attackers-decrypt-texts-stalk-users/
For more information on the specifics of the vulnerability:
http://blog.azimuthsecurity.com/2015/01/blackpwn-blackphone-silenttext-type.html
Information on the acquisition:
http://www.cnet.com/news/silent-circle-buys-out-secure-blackphone-hardware-partner/

-Arthur Lunn

Advertisements