Silent Circle, makers of the security and privacy focused Blackphone, have patched a vulnerability that could allow a malicious mobile application or remote attacker to access the device’s modem and perform any number of actions.
The update was released Dec. 7 in version 1.1.13 RC3; details of the issue were disclosed today by SentinelOne, which discovered the problem in August and coordinated a fix and disclosure through Bugcrowd.
The Blackphone includes encrypted messaging services such as Silent Text and Silent Phone, and is meant to be a deterrent to hackers and surveillance efforts alike.
SentinelOne director of mobile research Tim Strazzere said he found an open socket—shell@blackphone:/dev/socket $ ls l at_pal srwrwrw radio system 20150731 17:51 at_pal—accessible on the phone that the agps_daemon, a system-level shell is able to communicate with. The vulnerability, CVE-2015-6841, is specific to the modem used by the Blackphone, the Icera modem developed by nVidia. The manufacturer announced in May it was discontinuing its Icera softmodem business.
Strazzere said that an attacker could use a malicious app, or chain together a Stagefright-type exploit with this vulnerability, to send commands to the phone’s radio.
The result poses a number of privacy and security woes for victims; an attacker could enable call forwarding, mute the phone, or send and read SMS messages all without leaving a trace on the device.
“If an attacker got you to download a benign app that talks to the socket that is left open, it provides them with a direct link to the modem,” Strazzere said. The app, he said, would not have to request unnecessary permissions from the user, for example, which might trigger some suspicions about its intent. “You would be able to do anything the modem could do. This would allow someone to masquerade their app with no permissions and access things they’re not supposed to.”
Strazzere said he’s unaware of attacks compromising this vulnerability, though he said it was relatively easy to find. The researcher said he stumbled upon it in preparation for Red Naga training in advance of last summer’s DEF CON.
In a report published today, Strazzere explained how the agps_daemon interacts with the modem:
“After we open agps_daemon in IDA Pro this is quickly confirmed, and we can see that this privileged process listens on the at_pal socket and writes anything that is received from the socket to the ttySHM3 port. Looking around the binary we can also see that the ttySHM3 port is being listened to by the radio. This means we’ve found a way to talk directly to the modem!”
The Icera modem, meanwhile, is expected to be phased out completely some time this year. Strazzere said he had never seen one in use and wasn’t sure why it was deployed in the Blackphone. The open socket, meanwhile, was likely not supposed to make it to the production model, he said.
“It might be a remnant; it appears they left it in there to do some debugging,” Strazzere said. “Maybe it was meant to be removed, but they forgot. It looks like it was left there to help with debugging or testing things out.”
Instead, it opened the door to a laundry list of problems that would put a Blackphone user at risk. Blackphones are not commodity devices; they’re preferred by privacy-conscious people, or those in oppressed areas wish to keep their personal safety in check. The vulnerability opens the door to any number of problems beyond the interception of calls and messages; SentinelOne said, for example, an attacker would be able to find neighboring cell towers the device connected to, or kill the modem altogether, leaving the victim without a means of communicating.
