Want to make payments with a smart phone? Are you one of the 85 percent of consumers using Android OS? It’s a good news, bad news kind of morning. On the upside, there is the Blackphone out there—a security enhanced modified Android OS phone that is reportedly the most secure on the market.
Downside: It was reportedly cyber-cracked in fewer than five minutes at the DefCon hackng conference.
The Blackphone was developed by Geeksphone and Silent Circle and runs off a forked version of Android (Jellybean). With a focus on security, the specialized phone offers encryptions for emails, text message and phone calls, as well as secured web surfing through a Virtual Private Network.
The winner of the competition to hack the phone, @TeamAndIRC, was reportedly able to gain root access to the phone within five minutes, thus identifying two security concerns. The first issue involved gaining access to the Android Debug Bridge (ADB). The other hinges on gaining shell access and executing a series of commands that forces the phone to cough up confidential data.
Reportedly, the second security issue has been fixed. The first, with the ADB, is reportedly not actually a security flaw and that ADB was earlier closed (disabled) to prevent bugs.
The Blackphone’s owners acknowledged some of the newly-exploited security holes this week, saying, “We are under the impression that this vulnerability affects many OEMs and not just Blackphone. When the vulnerability becomes public, we will implement the fix faster than any other OEM.”
The phone’s manufacturer said that some of the flaw was short-lived. “In the final days before manufacture, a bug was found with ADB on the Blackphones, which could throw the phone into a boot loop when full device encryption was turned on. Rather than miss the manufacturing window or cause user grief, the developer menu was turned off. Disabling ADB is not a security measure, and was never meant to be — it will be returning in an OTA to Blackphone in the future once the boot bug is resolved. The realities of getting a product manufactured and shipped within the available manufacturing window meant a quick fix was needed. No root or other privilege escalation was required in order for this to be performed.”
The vendor also acknowledged the core problem. “In general, @TeamAndIRC accurately described that in order to exploit any of the above-mentioned vulnerabilities the end-user would require physical access to the device and then perform the exploit. @TeamAndIRC explained that these vulnerabilities are not exploitable via a drive-by-download or other remote activities and will further require intentional user interaction. This would mean the user lost physical control of their Blackphone or they wanted to walk around with an exploitable smartphone. Nonetheless, we have a vulnerability and it is important to Blackphone to resolve this vulnerability fast.”
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More