'Super-secure' BlackPhone pwned by super-silly txt msg bug

People always talk about your reputation ... Just be good to free()

Exclusive The maker of BlackPhone – a mobile marketed as offering unusually high levels of security – has patched a critical vulnerability that allows hackers to run malicious code on the handsets.

Attackers need little more than a phone number to send a message that can compromise the devices via the Silent Text application.

The impact of the flaw is troubling because BlackPhone attracts what hackers see as high-value victims: those willing to invest AU$765 (£415, $630) in a phone that claims to put security above form and features may well have valuable calls and texts to hide from eavesdroppers.

Mark Dowd (@mdowd), noted Sydney-based hacker and co-founder of security consultancy Azimuth Security, discovered the flaw during casual research in the latter months of 2014. He shared his findings with The Register while the fix – due to be disclosed today – was being developed.

"Successful exploitation can yield remote code execution with the privileges of the Silent Text application, which runs as a regular Android app, but with some additional system privileges required to perform its SMS-like functionality such as access to contacts, access to location information, the ability to write to external storage, and of course net access," Dowd said, noting the bug took him about a week to find.

The flaw, triggered by sending a carefully crafted text message to a victim, could also be coupled with a privilege-escalation exploit to gain full control of the vulnerable device – but this was not required to run arbitrary code as an unprivileged user.

Dowd has, in the past, reported vulnerabilities he discovered in a ZRTP third-party library utilized by the Silent Phone app in 2013 prior to the July 2014 launch of BlackPhone.

It was the marketing of the Silent suite of apps that piqued Dowd's interest – which led him to report the security hole he uncovered.

"They aim to combat mass-surveillance by relying on encrypted phone calls and messages by default, which is an effective counter-measure, but I wanted to evaluate those solutions from an application security standpoint [and] by that I mean I wanted to see how robust their implementations were against targeted attacks, and evaluate any additional attack surface they might expose," he said.

The flaw discovered in Silent Text is really a programming blunder within the Silent Circle Instant Messaging Protocol (SCIMP) library, which is responsible for establishing encrypted communication channels between devices for secure transmissions of text messages and files.

"The SCIMP protocol encodes messages as JSON objects, which are then transmitted to the remote party over XMPP," Dowd explained to The Register.

"The flaw I discovered occurs during the deserialization of these JSON objects. It is a type confusion vulnerability, which when exploited allows an attacker to overwrite a pointer in memory, either partially or in full.

"This pointer is later manipulated by the program and also the system allocator, allowing you to do things such as pass arbitrary pointers to free()."

The expert went on to say:

Specifically, libscimp expects JSON objects to contain a message type, and multiple fields that are relevant to that message type. By sending a JSON object that contains multiple message types, it is possible to have fields read in to memory from the JSON object for one message type misinterpreted as fields of another message type. This allows the attacker to engineer a situation whereby a pointer to user-controlled data may be overwritten (or partially overwritten) with a value of their choosing.

It is important to note that the implementation flaw does not imply any inherent weaknesses in the design of the SCIMP protocol nor the encryption mechanisms used by BlackPhone.

The device and its Silent Text app were the brain children of encryption gurus Phil Zimmermann, Jon Callas and Mike Janke who created the device in the wake of and in opposition to global spying revelations revealed by NSA leaker Edward Snowden.

They have not revealed how many BlackPhones are in operation, however the Android Silent Text app has clocked more than 50,000 downloads, according to Google, and is also available on Apple iOS.

Silent Circle was not available for immediate comment. ®

After publication of this article, once a patch was issued to BlackPhone owners, Dowd shared more technical details on the text-messaging flaw, here.

Broader topics

Other stories you might like

  • In record year for vulnerabilities, Microsoft actually had fewer
    Occasional gaping hole and overprivileged users still blight the Beast of Redmond

    Despite a record number of publicly disclosed security flaws in 2021, Microsoft managed to improve its stats, according to research from BeyondTrust.

    Figures from the National Vulnerability Database (NVD) of the US National Institute of Standards and Technology (NIST) show last year broke all records for security vulnerabilities. By December, according to pentester Redscan, 18,439 were recorded. That's an average of more than 50 flaws a day.

    However just 1,212 vulnerabilities were reported in Microsoft products last year, said BeyondTrust, a 5 percent drop on the previous year. In addition, critical vulnerabilities in the software (those with a CVSS score of 9 or more) plunged 47 percent, with the drop in Windows Server specifically down 50 percent. There was bad news for Internet Explorer and Edge vulnerabilities, though: they were up 280 percent on the prior year, with 349 flaws spotted in 2021.

    Continue reading
  • Talos names eight deadly sins in widely used industrial software
    Entire swaths of gear relies on vulnerability-laden Open Automation Software (OAS)

    A researcher at Cisco's Talos threat intelligence team found eight vulnerabilities in the Open Automation Software (OAS) platform that, if exploited, could enable a bad actor to access a device and run code on a targeted system.

    The OAS platform is widely used by a range of industrial enterprises, essentially facilitating the transfer of data within an IT environment between hardware and software and playing a central role in organizations' industrial Internet of Things (IIoT) efforts. It touches a range of devices, including PLCs and OPCs and IoT devices, as well as custom applications and APIs, databases and edge systems.

    Companies like Volvo, General Dynamics, JBT Aerotech and wind-turbine maker AES are among the users of the OAS platform.

    Continue reading
  • Patch now: Zoom chat messages can infect PCs, Macs, phones with malware
    Google Project Zero blows lid off bug involving that old chestnut: XML parsing

    Zoom has fixed a security flaw in its video-conferencing software that a miscreant could exploit with chat messages to potentially execute malicious code on a victim's device.

    The bug, tracked as CVE-2022-22787, received a CVSS severity score of 5.9 out of 10, making it a medium-severity vulnerability. It affects Zoom Client for Meetings running on Android, iOS, Linux, macOS and Windows systems before version 5.10.0, and users should download the latest version of the software to protect against this arbitrary remote-code-execution vulnerability.

    The upshot is that someone who can send you chat messages could cause your vulnerable Zoom client app to install malicious code, such as malware and spyware, from an arbitrary server. Exploiting this is a bit involved, so crooks may not jump on it, but you should still update your app.

    Continue reading
  • US won’t prosecute ‘good faith’ security researchers under CFAA
    Well, that clears things up? Maybe not

    The US Justice Department has directed prosecutors not to charge "good-faith security researchers" with violating the Computer Fraud and Abuse Act (CFAA) if their reasons for hacking are ethical — things like bug hunting, responsible vulnerability disclosure, or above-board penetration testing.

    Good-faith, according to the policy [PDF], means using a computer "solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability."

    Additionally, this activity must be "carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services."

    Continue reading

Biting the hand that feeds IT © 1998–2022