A vulnerability in a third-party component used by Blackphone could result in an attacker gaining control of the phone's modem functions.
Researchers stumbled upon an open and accessible socket on the Blackphone during a reverse engineering exercise, said Tim Strazzere, director of mobile research at security software startup SentinelOne.
Blackphone is considered the most secure phone available as it has encryption built-in, providing secure voice calling, text messaging, videoconferencing, and file transfer by default. However, the open at_pal socket would have let attackers send SMS messages or forward incoming calls without the users being aware of what was happening.
SilentCircle has confirmed the vulnerability and patched the flaw. An update including a fix for this bug was released in early December.
"Unfortunately, no matter how secure a system is designed to be, it may remain vulnerable to security flaws," Strazzere wrote in a blog post discussing the vulnerability.
Talking to the modem
The open at_pal socket is associated with the now-discontinued Icera modem from Nvidia; it interacts with several applications on Blackphone, including the agps_daemon. The daemon -- a privileged process that accesses the system and radio features on Blackphone -- listens on the at_pal sockets and writes everything it receives to the command line. Attackers can take advantage of this by sending commands to initiate actions such as sending SMS messages without saving a copy to history, muting the phone so that users won't hear the ringing, dialing numbers to initiate calls, finding and connected to neighboring cell towers, killing the modem, or preventing incoming calls by forwarding them to another number.
"We've found a way to talk directly to the modem!" Strazzere wrote.
Potential attack vectors include tricking users into downloading and installing malicious apps that take control of the modem. Attackers could also potentially use maliciously crafted emails in a manner similar to the way Stagefright could compromise an Android device, Strazzere said. The attacker would succeed by using higher privileges available to the application (such as agps_daemon), so it's important to understand what capabilities an app should have.
A flashlight app should not be placing calls, for example. "This would be bad," Strazzere said.
The at_pal socket is not very well documented or widely used, making the potential attack surface very narrow. The Icera modem was used only in a handful of devices -- one of which was the Blackphone -- before Nvidia discontinued all Icera operations last year. Strazzere said he had difficulty finding other devices that use the Icera modem. The newer Blackphone 2 uses Qualcomm chips for LTE and is unaffected, for example.
Implications of using third-party tech
The open socket problem highlights the challenges of modern development, where hardware, device drivers, software libraries, and other components all come from different sources. In the case of the Blackphone, the way the driver from Nvidia was implemented by SilentCircle inadvertently exposed the modem on the phone. An issue in one part can weaken another component, resulting in unexpected scenarios.
The mix of hardware components and software code make it difficult for researchers to detect and remediate flaws in modern products. This issue has been coming up with great frequency recently, such as when an issue in Apache Commons Collections impacted commercial software such as JBoss, WebSphere, and WebLogic.
It's likely that SilentCircle did not intend to have the socket open and accessible in production code, Strazzere said. It's to SilentCircle's credit the company acted promptly to patch the issue and roll out an update.
There's been renewed focus on how vulnerabilities in third-party libraries and frameworks can impact overall application security. The vast majority of modern software development is less about writing code and more about assembling existing components, much like Legos. However, this means third-party code is almost always present. Developers have to regularly verify the building blocks to ensure they aren't introducing any vulnerabilities and work with third-party providers to address issues as they come up.
Though SilentCircle switched to Qualcomm for Blackphone 2, Strazzere was confident the company would be taking a close look to ensure similar problems aren't present in the newer models.