Blackphone 4

The Blackphone From Silent Circle Appears To Have Had A Security Flaw Inside The Messaging App

January 28, 2015 - Written By Justin Diaz

You’ll probably hear us talking about mobile security from time to time, as we feel it’s an important thing to keep in mind and in today’s world, people certainly need to pay more attention to it. Personal privacy is a big thing and it may not be as important to some companies as it is to Silent Circle, the company behind the Blackphone. The Blackphone for those who are unaware is touted as a super secure device with end to end encryption on messages, voice calls and data, and for all its worth they do an excellent job at putting your personal privacy first. Even devices like the Blackphone though can be susceptible to security risks.

This seems to have been the case regarding the Blackphone and a now patched vulnerability that involved the secure messaging app that comes pre-installed on the device called SlientText. The vulnerability reportedly gave attackers the ability to decrypt messages, read contact information, and gather location data on the user of the device. It also apparently had the capability to allow an open window for attackers to execute malicious code. As we stated above, thankfully it seems the vulnerability has already been fixed. We can only assume though that this was a bug present inside of the SilentText app on the Blackphone since its release.

The security risk is said to have been discovered by an individual named Mark Dowd, who is the founder of Australian Consulting firm called Azimuth Security. Dowd says he discovered the vulnerability while using his own personal Blackphone, and details that the bug had to do with memory corruption. He also makes note though that for it to have been a threat the vulnerability would have to have been exploited successfully. Dowd also explains that should an attacker have exploited the vulnerability within SilentText, they could then have potentially gained root access or kernel access to the device if they had any knowledge of the Android privilege escalation exploit that affects PrivatOS. With an owner’s Silent Circle ID or phone number, an attacker with the above knowledge would have been able to execute these vulnerabilities with much success, but after Dowd’s discovery both Silent Circle and Blackphone were notified, which allowed them to both patch the fix into the SilentText app. If you use a Blackphone and want to update to the latest firmware, you can do so by hitting this link which takes you to the support page for updating Blackphone software. Although Blackphone isn’t exempt from security risks completely, they take privacy very seriously and do all they can to ensure users are met with the utmost secure of an experience, and they do so in part with the Bug Bounty Program which rewards people with a minimum of $128 for finding any vulnerabilities in the system.