We live in a world where our smartphones and online accounts are some of the primary ways we communicate with each other. That's all fine and well, but these devices and services rely on data and servers that are outside of our control, and there's been a big question mark hanging over them for a couple of years now asking just how safe these devices are. This has led to specialist devices such as the Silent Circle Blackphone and Sikur's Granitephone. In this latest vulnerability report, it seems that not even devices like the Blackphone are 100% secure.
A pretty serious vulnerability for the original Blackphone was discovered and published on the Sentinel One blog that could lead to a total takeover of the phone. It appears as though the NVIDIA Icera LTE modem was the main culprit coupled with an opened socket pointing to the modem. It was then discovered that, without the user's knowledge, such a vulnerability could lead to changing call forwarding settings, adding another number to an ongoing call and sending a text without Android even showing a UI popup or feedback. Vulnerabilities are found for operating systems and devices all the time, but it's what happens next that is the key to whether something becomes a threat or not. This new find was given the code CVE-2015-6841 and fixed in the PrivatOS 1.1.13 update to the phone. Dan Ford, Chief Security Officer for Silent Circle said that vulnerabilities were inevitable and it's how you react that's the big deal, he then went on to say "How does Silent Circle react? We patch vulnerabilities and give credit where credit is due".
This sort of thing shouldn't come as too much of a surprise, after all there's a whole industry of white hat hackers out there looking for bugs and holes to crack open and then sell to the manufacturer for a profit. Big names like Google practically encourage it, and so far it's been working fairly well. Sentinel One published a timeline from when the vulnerability was found, in August of last year, to when it was officially patched, in December of last year. That's a pretty slow turnaround to be honest, but it wasn't until the second week of September that was given a CVE classification. Regardless, this is a good example of how to patch vulnerabilities the right way, it's just a shame Silent Circle weren't quicker.