Security-conscious Blackphone found to have basic SMS vulnerability

28 Jan 2015

Blackphone image via Maurizio Pesce/Flickr

Marketed as the most secure smartphone on the market, the Blackphone has had to quickly fix a serious vulnerability that allowed it to be accessed with the help of a relatively simple SMS hack.

Launched in June of last year, the phone was heralded as the ‘anti-NSA’ phone that wouldn’t allow governments, snoops or hackers to access the phone’s data or systems as part of a partnership between the Spanish smartphone manufacturer Geeksphone and Silent Circle, an encrypted communications company.

However, despite praise for the device, a team from Azimuth Security in the US have stumbled on a flaw which should make the phone’s creators a little embarrassed.

The bug relates specifically to Blackphone’s Silent Text messaging program which its discoverer, Mark Dowd, found after purchasing the phone it contained within ‘a serious memory corruption vulnerability’.

Just needed the phone number

According to Dowd’s blog post on his findings, the bug could have been operated remotely by a hacker, and if successfully hacked, could give that person almost complete control over the messages with regard to decrypting them, gather the phone’s location, read the phone’s contacts and even complete control of the phone if another piece of code is inserted after the initial access.

Dowd goes on to explain that the flaw could be exploited without the need of a phishing SMS scam as all that is required is the phone’s phone number or Silent Circle ID.

He first discovered the flaw in August 2014 but following the protocol that is common among security experts, has only just gone public with the information once there is confirmation from the affected company that the bug has been patched, which is now the case.

Colm Gorey was a senior journalist with Silicon Republic

editorial@siliconrepublic.com