14 DAY TRIAL // A security flaw in the instant messaging application available on BlackPhone, the smartphone specifically built for increased levels of privacy, allows a potential attacker to execute arbitrary code that could lead to taking complete control of the device.
Developed by SGP Technologies, BlackPhone runs on PrivateOS, an Android-based operating system modified to eliminate privacy concerns, promising end-to-end encrypted communication between its users.
Attacker needs only Silent Circle ID or phone number
Successful exploitation of the bug permits the threat actor to run commands with the same privileges as the chat application (Silent Text), security researchers have found.
Mark Dowd from security company Azimuth Security in Australia says that the risks involved include decrypting messages, collecting information about location, reading contacts, writing data to external storage unit or executing code that could elevate privileges.
It would also be possible to gain access to the Silent Circle account that controls all secure services available for the handset.
According to the researcher, the only thing an attacker would be require to have to take advantage of the security flaw is the ID or phone number of the victim. “The target does not need to be lured into contacting the attacker (although the flaw is exploitable in this scenario as well),” Dowd said in a blog post on Tuesday.
At the moment, the company has already deployed patches for the Silent Text app available in app marketplaces for Android and iPhone, which have also been pushed through BlackPhone’s update mechanism.
Type confusion vulnerability discovered
The researcher says that the weakness is a serious memory corruption that could be triggered remotely. It resides in the Silent Circle Instant Message Protocol (SCIMP), which is used to create a secure communication channel between Silent Text users.
As such, SCIMP is responsible for passing the messages in a secure manner, preventing any eavesdropping from a third party.
It appears that the implementation of the protocol in the application contained “a type confusion vulnerability, that allows an attacker to directly overwrite a pointer in memory (either partially or in full),” leading to the aforementioned consequences.
Azimuth Security makes available a lengthy, technical post where the entire interaction process between the functions of the application and how the flaw can be exploited is explained.
