Bug in Silent Circle's Blackphone let attackers remotely control device

remote takeover vulnerability in Blackphone
Credit: Image: Florence Ion

A vulnerability in Silent Circle's privacy-focused Blackphone let attackers remotely take over the device's modem to send and receive texts, dial or connect calls, change call IDs, set call forwarding, force conference calls and more.

Silent Circle’s Blackphone is all about privacy and security, but security researchers discovered a remote takeover vulnerability that attackers could exploit to send and receive text messages, to eavesdrop on calls and to remotely control other Blackphone functions.

Blackphone runs on PrivatOS, which was designed to have “no gratuitous features, no hooks to carriers, and no leaky data by default;” this heavily customized version of Android gives users full control of app permissions and other security settings. Yet Tim Strazzere, director of mobile research at SentinelOne, explained that attackers could exploit a vulnerability, bypass a user’s control of the permissions, and communicate directly with the Blackphone’s modem. Put another way, the flaw could allow a hacker to remotely take control of the phone.

If you have a Blackphone, please don’t freak out as Silent Circle patched the vulnerability in December. SentinelOne has now released the details of the flaw and the attacks which were possible if a hacker exploited the vulnerability.

While SentinelOne security researchers were preparing for a DefCon Red Naga training session, they discovered a socket which was left open and accessible on the Blackphone. Strazzere wrote:

There is almost no mention of this socket anywhere on the internet – except for file_contexts used by SELinux on Android. It appeared to be for the nVidia Shield tablet, which is the only other Android device that seems to be used in the wild with an Icera modem and has since been abandoned by nVidia. As we dug deeper we found a few applications which interact with this socket, specifically agps_daemon, which has more elevated privileges than a normal shell/app user since it is a system/radio user.

After poking around in the Nvidia Icera modem binary, the researchers “found a way to talk directly to the [Blackphone’s] modem.” Upon further inspection, Strazzere said an attacker could run as a shell user and send commands to the radio, or use an Android app that has an internet permission to send commands to the radio.

In fact, Strazzere explained that attackers could send “AT” codes and other code paths to remotely takeover the Blackphone. The following is SentinelOne’s list of potential attacks a hacker could pull off by exploiting the vulnerability:

  • Send and receive text messages (which will not get passed to the main Android UI or be noticeable to the user in any way)
  • Dial or connect calls (this is apparent to the user as the UI dialogs will pop up, however this will often lead to freezing and non-cancellable calls which must be hung up via modem interaction)
  • Check the state of phone calls silently (what number the call is connected to, was it incoming or outgoing)
  • Reset APN/SMSC/Power settings
  • Force conference calls with other numbers
  • Mute the modem speaker
  • Force/unforce caller ID settings
  • Kill modem (hard reboot required to restore modem)
  • Find neighboring cell towers connected to
  • Silently register a call forwarding number (Blackphone will not notice any calls incoming, incoming caller will not be notified of forwarding)

Strazzere submitted the bug to SilentCircle in August. By November, he had collected the bug bounty. On Dec. 7, SilentCircle deployed a patch to close the hole on the original Blackphone which was released in 2014. The first Blackphone is still supported even though the Blackphone 2 is out and Blackphone 3 is in the works.

Even very secure devices can be vulnerable, Strazzere pointed out. “The increasing proportion of third party technology (hardware, drivers, software libraries, etc.) used in today’s devices makes detecting and remediating flaws more difficult than ever.”

A look inside the Microsoft Local Administrator Password Solution
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies