Developer collaborating with the hacker to release a patch

Aug 11, 2014 12:17 GMT  ·  By

The famous Blackphone, the mobile built to offer encryption to all forms of communication it can manage (calls, emails, text and web browsing), has been rooted at the DefCon hacker conference in Las Vegas, but its makers say that all is to receive a fix in a short while.

Jon Sawyer (@TeamAndIRC), CTO of Applied Cybersecurity LLC, took it to Twitter to announce that he found three vulnerabilities in the secure phone, allowing him to root the device.

However, things are not that bleak, as Dan Ford, chief security officer at SGP Technologies, the company developing the underlying operating system for the device, announced on August 10 that he discussed two of the issues with Sawyer, one of them having already been patched by the latest over-the-air (OTA) update.

“@TeamAndIRC and I had a chat here at Def Con. I would like to thank him for not blowing the issue out of proportion and going back to the twittersphere for a little more transparency by explaining that direct user interaction is required and that we had already patched one of the vulnerabilities through the OTA update,” writes Ford.

The three issues listed by Sawyer are referred to on Twitter as “USB debugging/dev menu removed, open via targeted intent,” “remotewipe app runs as system, and is debuggable,” and “system user to root, many available.”

The SGP Technologies defends it by saying that the first problem actually consists in turning on ADB (Android Debug Bridge), a component that had been disabled on purpose because it caused some problems that affected overall user experience; a patch for this is on its way.

Another glitch disclosed by the hacker has already been patched, while the third, which provides the root, has not been publicly disclosed yet.

Provided that rooting the device actually requires user interventions, decreases the chances of successfully carrying out the operation, as many of those requiring a safe communication device are already security-aware and less likely to fall into the trap.

In his post, Ford wanted to emphasize that the developers moved very fast when applying the patch, as they had discovered the glitch on July 30 and the next day they already had a fix ready, which was delivered on August 1.

He was confident that as soon as the hacker discloses the third vulnerability, SGP Technologies would be able to release an update with the repair as fast as the previous time.