Identified a serious vulnerability smartphone BlackPhone, device sold as a super-safe, with standard features to encrypt calls, texts, and emails.
BlackPhone, smartphone devices sold as one of the safest in the world … it is less safe than expected. This smartphone integrates an ad hoc version of Android 4.4.2 with the peculiarity of providing functions to encrypt calls, texts and email, not decipherable by third parties, and access to SpiderOak, encrypted cloud storage service. According to the designers, the device incorporates mechanisms to resist even to attack malware.
It would seem essentially an excellent product, but Ars Technica reveals that not all that glitters is gold: a bug in the application of instant messaging would a malicious hacker to decrypt messages, access contacts and monitor vital functions of a mobile specifically designed for use in government or other areas in which safety should be the priority.
Mark Dowd, a consultant to the Australian company Azimuth Security, That Explains an attacker just the Silent Circle ID or phone number of the target to exploit the bugs remotely and hence do everything listed above in Additions to Identifying the location of the user, write code or text on the device memory and list the device account. Engineers BlackPhone would fix the bug after the consultant privately reported the inconvenience.
The vulnerability has to do with SilentText, messaging application ” safe ” (at least in theory) standard with the device, also available as a separate download from the Google Play app for other Android devices. In a component known as ” libscimp “. There is a bug that corrupts memory, a flaw known as ” type confusion vulnerability “.
Libscimp BlackPhone is the implementation of the Silent Circle Instant Messaging Protocol (SCIMP) protocol that works in tandem all’extensible messaging and presence protocol (XMPP). SCIMP allows you to create secure channels, end-to-end between people who exchange text messages, dealing with transport and encryption of data in the channel.
Technically vulnerability ” Type confusion ” occurs when a matter of a certain type (eg. A pointer to an object) is misinterpreted to another, typical errors of programming in C.