Remember Blackphone? The “secure smartphone for everything you do”? That phone that says it’s more secure than BlackBerry? Remember how that lovable scamp Justin Case thought he had hacked it only to discover that he, like most android users, hadn’t updated the firmware? Yeah, that phone. The secure smartphone built on Android. Hold your snickering. It’s about to get unfunny.
You see, those researchers over at Bluebox Security discovered a few problems. Namely, that it was vulnerable.
Let’s look at the issues.
Blackphone does not use Google Services or Google Play to help keep it secure, instead using their own custom apps. Unfortunately, their core apps aren’t secured. In fact, there is no implementation of SSL pinning. Meaning that attackers would be able to steal user credentials. Bluebox researchers were able to add their own SSL certificate, set up a man-in-the-middle attack and stole username and password information. The phone simply used the encryption certificate provided by the attackers since it did not have it’s own.
Root certificates! Who wants root certificates? Blackphone has more than 150 pre-installed, however, there’s no information about what many of them are.
“For example, there is a ‘Government Root Certificate’ certificate.Unfortunately, there is no way to determine which government specifically,”
And apparently, anyone with a root certificate on the phone could perform a man-in=the-middle attack,
Bluebox reported these issues to Blackphone, and they patched their software 11 days later bringing their version from PrivatOS 1.0.2 to PrivatOS 1.0.3. I’m sure the “secure smartphone for everything you do” is now finally secure right? Someone please tell Justin he needs to update his Blackphone again.
And to the makers of Blackphone, BlackBerry still hasn’t been hacked.