Username and password for Silent Circle apps leaked to any SSL server

Sep 9, 2014 09:27 GMT  ·  By

A review of Blackphone, dubbed as a “secure smartphone for everything you do,” reveals that although the device benefits from increased security features, it is not immune to vulnerabilities.

Researchers at Bluebox Security investigated the phone running version 1.0.2 of PrivatOS, the custom operating system forked from Android/AOSP designed with increased security in mind.

They found a number of glitches, such as questionable root certificates, information leaking from core apps available on the device and software-based credentials storage scheme.

Leaky login info to any SSL server

Bluebox found that Blackphone’s core apps (Silent Circle apps, Secure Wireless and SpiderOak) did not have SSL pinning implemented, which meant that the apps ran the risk for an attacker to intercept user credentials.

They added their own SSL certificate on the device and set up a man-in-the-middle (MitM) attack, allowing them to intercept the username and password information delivered; since the client had no certificate to match the one from the server, all the details were sent unrestrictedly, using the encryption provided by the attackers.

SSL pinning requires the client and the server to have matching digital certificates issued by the same trusted Certificate Authority. This way, when the server makes a request to the client, its identity can be checked and the information can be traded securely, encrypted with the server’s public key.

Questionable digital certificates, software-based credentials storage

The Bluebox researchers have also noticed that Blackphone ships with more than 150 pre-installed root certificates, and in some cases, there is no clear information about them.

“For example, there is a ‘Government Root Certificate’ certificate. Unfortunately, there is no way to determine which government specifically,” write the experts in their analysis.

They say that the potential risk is that anyone with a root certificate on the phone could perform a MitM attack in order to intercept communication.

There is the possibility to disable the certificates manually, but it is a painstaking process that needs to be repeated each time the device is wiped.

Another issue found in PrivatOS 1.0.2 was the lack of hardware-backed security assistance for keeping the credentials stored safely. Bluebox notes that, in the version they analyzed, this operation was software-driven.

On the upside, all these problems were encountered on PrivatOS 1.0.2 and the developer moved fast towards addressing them; they have been addressed in a newer build of the OS, 1.0.3, released on August 26, 11 days after Bluebox reported them.

Blackphone does not include Google licensed apps and relies on custom software (Silent Circle apps) to provide encrypted communication via voice (Silent Phone) and text (Silent Text) and a secure way to store contacts (Silent Contacts).