'Super-secure' BlackPhone pwned by super-silly txt msg bug
People always talk about your reputation ... Just be good to free()
Exclusive The maker of BlackPhone – a mobile marketed as offering unusually high levels of security – has patched a critical vulnerability that allows hackers to run malicious code on the handsets.
Attackers need little more than a phone number to send a message that can compromise the devices via the Silent Text application.
The impact of the flaw is troubling because BlackPhone attracts what hackers see as high-value victims: those willing to invest AU$765 (£415, $630) in a phone that claims to put security above form and features may well have valuable calls and texts to hide from eavesdroppers.
Mark Dowd (@mdowd), noted Sydney-based hacker and co-founder of security consultancy Azimuth Security, discovered the flaw during casual research in the latter months of 2014. He shared his findings with The Register while the fix – due to be disclosed today – was being developed.
"Successful exploitation can yield remote code execution with the privileges of the Silent Text application, which runs as a regular Android app, but with some additional system privileges required to perform its SMS-like functionality such as access to contacts, access to location information, the ability to write to external storage, and of course net access," Dowd said, noting the bug took him about a week to find.
The flaw, triggered by sending a carefully crafted text message to a victim, could also be coupled with a privilege-escalation exploit to gain full control of the vulnerable device – but this was not required to run arbitrary code as an unprivileged user.
Dowd has, in the past, reported vulnerabilities he discovered in a ZRTP third-party library utilized by the Silent Phone app in 2013 prior to the July 2014 launch of BlackPhone.
It was the marketing of the Silent suite of apps that piqued Dowd's interest – which led him to report the security hole he uncovered.
"They aim to combat mass-surveillance by relying on encrypted phone calls and messages by default, which is an effective counter-measure, but I wanted to evaluate those solutions from an application security standpoint [and] by that I mean I wanted to see how robust their implementations were against targeted attacks, and evaluate any additional attack surface they might expose," he said.
The flaw discovered in Silent Text is really a programming blunder within the Silent Circle Instant Messaging Protocol (SCIMP) library, which is responsible for establishing encrypted communication channels between devices for secure transmissions of text messages and files.
"The SCIMP protocol encodes messages as JSON objects, which are then transmitted to the remote party over XMPP," Dowd explained to The Register.
"The flaw I discovered occurs during the deserialization of these JSON objects. It is a type confusion vulnerability, which when exploited allows an attacker to overwrite a pointer in memory, either partially or in full.
"This pointer is later manipulated by the program and also the system allocator, allowing you to do things such as pass arbitrary pointers to free()."
The expert went on to say:
Specifically, libscimp expects JSON objects to contain a message type, and multiple fields that are relevant to that message type. By sending a JSON object that contains multiple message types, it is possible to have fields read in to memory from the JSON object for one message type misinterpreted as fields of another message type. This allows the attacker to engineer a situation whereby a pointer to user-controlled data may be overwritten (or partially overwritten) with a value of their choosing.
It is important to note that the implementation flaw does not imply any inherent weaknesses in the design of the SCIMP protocol nor the encryption mechanisms used by BlackPhone.
The device and its Silent Text app were the brain children of encryption gurus Phil Zimmermann, Jon Callas and Mike Janke who created the device in the wake of and in opposition to global spying revelations revealed by NSA leaker Edward Snowden.
They have not revealed how many BlackPhones are in operation, however the Android Silent Text app has clocked more than 50,000 downloads, according to Google, and is also available on Apple iOS.
Silent Circle was not available for immediate comment. ®
After publication of this article, once a patch was issued to BlackPhone owners, Dowd shared more technical details on the text-messaging flaw, here.