Security-Focused BlackPhone Was Vulnerable To Simple Text Message Bug 46
mask.of.sanity sends this report from El Reg: The maker of BlackPhone – a mobile marketed as offering unusually high levels of security – has patched a critical vulnerability that allows hackers to run malicious code on the handsets. Attackers need little more than a phone number to send a message that can compromise the devices via the Silent Text application.
The impact of the flaw is troubling because BlackPhone attracts what hackers see as high-value victims: those willing to invest AU$765 (£415, $630) in a phone that claims to put security above form and features may well have valuable calls and texts to hide from eavesdroppers.
The impact of the flaw is troubling because BlackPhone attracts what hackers see as high-value victims: those willing to invest AU$765 (£415, $630) in a phone that claims to put security above form and features may well have valuable calls and texts to hide from eavesdroppers.
Security is a process ... (Score:5, Insightful)
The problem with security is it is an on-going process, and it takes time. Which means the trust that you actually are secure also takes time.
So, just because you started out thinking "Oh boy, are we going to be hella secure" -- it takes a long time to FIND all those things which defeat that, and just as long to convince everybody that you've done it.
Almost as soon as I heard of this phone my first thought was "gee, you're brand new, why should be trust that you've got it sorted out".
And, as TFS says ... this phone is used by people who want additional security. What the hell made you think you wouldn't be immediately targeted? This is like advertising you have an unbreakable vault ... now everybody wants to prove you wrong.
I think they started trading on a reputation they hadn't earned yet, and now it's biting them in the ass.
Re: (Score:2)
The entire security model and mindset in IT and computing is severely flawed. Arguably if it weren't for dependency on computers and the ability to gussy-up terrible back-end code with pretty user interfaces, this situation would be completely untenable.
Re: (Score:2, Informative)
It isn't IT, it is a mindset of a lot of companies that security, and IT in general are cost centers. There is a mantra that "security has no ROI".
However, lets be real here, and I will do a bit of devil's advocate work here. Security doesn't have a ROI:
1: Sony is back to normal. The PSN hack didn't affect their stock price overall, and the latest hack will be forgotten in 2-3 months.
2: Security doesn't hurt businesses. If data gets leaked, whoopty-do. China does the ODM work anyway.
3: SANs are immu
Re: (Score:3)
Re: (Score:3, Interesting)
They should have called it 'GreyPhone', maybe one day, after many updates, 'DarkGreyPhone'. But lets face it...BlackPhone may just be unobtainable.
Re: (Score:3)
Re:Security is a process ... (Score:5, Insightful)
The problem is that a company that has security as part of their mindset is hard to find. Most at best have it as an afterthought, something strapped on at the last moment.
Security takes R&D, just like everything else. Would I expect a v1.0 product to be secure, especially from focused attack by people who want to bypass it? No, and not even in a v1.0.10 product. Breaches will happen for the first few years.
However, I will state one thing about BlackPhone: They fixed the issue. Other vendors would just tell their customers to buy a new smartphone or go pound sand. Where the rubber meets the road is how security flaws are handled. Are they acknowledged and patched, or are they covered up, flagged as FNR (fixed in next release), and only threats of litigation able to actually get the vendor to make a patch. There will -always- be flaws. However, part of a company selling security is how they respond to issues, and here, BlackPhone has performed quite well. There was a problem, they fixed it, and that is what matters.
Re:Security is a process ... (Score:4)
I agree that how a company handles incident response is important and the BlackPhone guys have apparently handled this well.
However, there are several things that are troubling about this story which lead me to not trust BlackPhone and question the security experience of the people designing it.
The first thing we notice about this exploit is that the library in question appears to be written in C, even though it's newly written code that is parsing complex data structures straight off the wire from people who might be attackers. What is this, 1976? These guys aren't programming smartcard chips without an OS, they're writing a text messaging app that runs on phones in which the OS is written in Java. Why the hell is the core of their secure messaging protocol written in C?
The second thing we notice is that the bug occurs due to a type confusion attack whilst parsing JSON. JSON?! Yup, SCIMP messages apparently contain binary signatures which are base 64 encoded, wrapped in JSON, and then base64 encoded again. A more bizarre or error-prone format is difficult to imagine. They manage to combine the efficiency of double-base64 encoding binary data with the tightness and simplicity of a text based format inspired by a scripting language which has, for example, only one kind of number (floating point). They get the joy of handling many different kinds of whitespace, escaping bugs, etc. And to repeat, they are parsing this mess of unneeded complexity .... in C.
Compare this to TextSecure, an app that does the same thing as the BlackPhone SMS app. TextSecure is written by Moxie Marlinspike, a man who Knows What He Is Doing(tm). TextSecure uses protocol buffers, a very simple and efficient binary format with a schema language and compiler. There is minimal scope for type confusion. Moreover, the entire app is written in Java, so there is no possibility of memory management errors whilst trying to read messages crafted by an attacker. By doing things this way they eliminate entire categories of bugs in one fell swoop.
So yes, whilst the BlackPhone team should be commended for getting a patch out to their users, this whole incident just raises deep questions about their design decisions and development processes. The fact that such a bug could occur should have been mind-blowingly obvious from the moment they wrote their first line of code.
Comment removed (Score:5, Interesting)
Re: (Score:2)
Indeed, I've been wondering why anyone would think that this particular vendor of a proprietary Android-based phone is any better than the others. Because they say so?
Re:pretty much expected. (Score:5, Informative)
As to fixing bugs, that will always be an ongoing process. I'd like it better if they were open source, but I'd trust them better than most companies. JMHO...
Re: (Score:3)
Re: (Score:2)
ie, "I want to go live somewhere beautiful and I'm rich, how's Switzerland this time of year?"
Turning into a bad place for those who like privacy [accessnow.org].
Re: (Score:2)
Okay, Phil Zimmerman counts as a valid argument.
Re:pretty much expected. (Score:5, Insightful)
IT security is about tradeoffs.
The idea of 100% security while possible, it impractical.
Your argument about Blackphone is the fact they are not supportive of the OSS mind set, So you judging the quality of the technology based on what type of license it has.
Ok a flaw was found, and they put in a fix for it, what else do you expect from them?
Re: (Score:3)
IT security is about tradeoffs.
Not true, you can have worse security without gaining anything. So you can also increase security without loosing any comfort. You are setting up a false premise that more security always requires a sacrifice. What we really need instead is a measure of achieved security, to rid ourselves of unnecessary, security-theatre-based sacrifices both in terms of privacy and money.
Re: (Score:3)
More security requires more diligence, which is often inconvenient. More security requires everyone to be secure, not just some, and that is definitely inconvenient, and requires trust that others are not putting you in danger (insecure), which requires compliance checks and verification, which is inconvenient. Technology can take the edge off the inconvenience, but isn't the panacea that everyone wants it to be.
The weakest link in security is people. Always has been, always will be.
Re: (Score:3)
This is one reason why I have hedged on buying one. How are they better from CyanogenMod, and for tools, open-source items, be it apg, K-9, EncFS (so files can be secured on both SD cards and cloud providers), RedPhone, TextSecure, and other apps that have their source available if one wants to manually look it it.
I respect PRZ incredibly, but one of the reasons why I continue to use PGP even though he states that it is obsolete is that PGP (and GnuPG) are open source... and they are platform and transport
Most secure phone there is? (Score:1)
30 Dollar Nokia
Re: (Score:3)
As for mobile phones, you really need to go back far enough before location information was integrated into them (long before smartphones).
Re: (Score:2)
Phone mode also at risk... (Score:5, Insightful)
It seems that the phone app on this device is susceptible to "Bank Impersonation" calls where the caller pretends to be from a bank when actually is a scam artist.
Re: (Score:2)
For an additional $2000 I'm offering a service to identify if the phone user is also stupid and likely to fall for such simple marketing ploys. For your added benefit I don't even require any personal details, just deposit the money and call us and we can give you the results of our findings on the spot.
Re: (Score:3)
630 US$ ? Isn't that about the same price as an iPhone 5s, and less than the price of the iPhone 6/6+ ?
You must be confused. iPhones are free. It says so right on the top of this contract I just signed. Sure, I have to pay more than $2000 over the next two years but the phone is free! It says so right here!
Would the phone company lie to me?
But, But (Score:3)
BlackPhone is TOTALLY 100% SECURE, when it is turned off
Re:But, But (Score:4, Informative)
Nothing is unhackable (Score:2, Informative)
nowhere do they claim they are unhackable. It's just better than the alternatives. And at a consumer price at that.
It's more secure than blackberry, no back doors, and comparable to $2k+ solutions. It also runs android apps.
So yes, it's a trade off. If you want the ultimately secure phone, you're going to end up talking only to yourself.
Re:Nothing is unhackable (Score:4, Interesting)
It does have its appeal. For the average user who isn't that technical, and who doesn't know/care how to use PGP or gnuPG, this phone is a step up. At least a user who bought this will get better fixes with regards to security issues than with a lot of smartphones.
My biggest complaint is that it is a closed ecosystem. It would be nice if other devices that are not BlackPhones can run the apps so there can be a wider customer base. Otherwise, the device's acceptance will be hindered because everyone has to have that specific maker's phone. Plus, for every closed application, there is an open alternative.
Maybe the ideal would be to get PGP working independently and transparently with text messaging [1], mail, voice, video, and other items. That way, the metadata can be protected via one layer, but the actual contents are protected no matter what, even if the protocol is completely broken wide open.
[1]: An ideal would be something where sender's device would check if the receiver had the ability to receive (likely having the app poll a server every so often), and if so, send it over the Internet (mainly so it can be acknowledged it was received). If not, send it via SMS/MMS. Unlike iMessage, it would fall back and not assume that a specific app was installed and running.
Re: (Score:2)
There are several implementations of OpenPGP on Android and IOS. These guys [openkeychain.org] have one that's coming along nicely and has OK email and XMPP integration (because they actually wrote a decent API for (de)crypting).
Of course, your keys are only as secure as your phone... which isn't very. Google, the carrier (for stock, branded phones), and who knows else can remotely swipe the key from your device. There is rudimentary support for secure elements like YubiKey, though.
C? (Score:1, Offtopic)
Why are they still using C to deal with network protocol? Is the performance so critical that it's worth all the troubles?
Any high school student could have written this library in Java or something higher-level, running on JVM with all the strict rules and redundant checks everywhere, and without any need of special care for nasty security issues like that (unless VM itself is faulty, but it wouldn't concern app makers).
It might end up 10x slower and consume 10x more memory - but who cares? you have 4GB RA
Re: (Score:1)
You are what's wrong with technology today. Fuck you, and fuck java.
For starters, because it's transparent. (Score:2)
Why are they still using C to deal with network protocol?
For starters, because it's transparent. The "K&R compliant assembly laguage", as one of my former colleagues once characterized it, translates to object in a clearly understandable way (especially if you turn optimization down or off). Though it gives you more opportunities to create bugs, it makes it hard for the bugs to hide from inspection.
The "higher-level" the language, the more it takes over and inserts its own stuff between you and the me
Also: lots of code has been vetted for decades (Score:2)
Why are they still using C to deal with network protocol? Is the performance so critical that it's worth all the troubles?
Also, because there's a lot of C code that has been in heavy use, and tested for correctness, for decades, suitable for reuse with substantial confidence that it's correct (though you check it anyhow...).
Let's see you find code like THAT for a language that hasn't been AROUND for decades. B-)
Not "troubling", the word should be "sobering." (Score:3)