Blackphone Pwned? Here's the Real Story
Blackphone. Credit: SGP Technologies
UPDATE 8/13 12:01am: Sawyer has not, as was originally reported, disclosed the third Blackphone vulnerability to SGP, in order to continue researching it.
The Blackphone has been designed to be the highest-security consumer smartphone on the market. So when news broke this weekend at the DEF CON hacker conference in Las Vegas that someone had found not one, but three, flaws in the Blackphone — and taken only five minutes to do so — it was instantly the talk of the conference.
But that's not the full story. It turns out that the flaws that security researcher Jon "Justin Case" Sawyer found in the Blackphone were, by Sawyer's own admission, far less serious than they've been made out to be in the press.
So is the Blackphone still the best answer for security-minded consumers? Let's take a look.
On Aug. 9, Sawyer tweeted the first of three Blackphone issues: He was able to turn on the Blackphone's Android Debug Bridge (ADB). This component of the Android operating system (on which Blackphone's PrivatOS operating system is based) is a command-line tool that gives users access to some of the phone's inner workings.
Blackphone's creators, SGP Technologies, had disabled ADB on PrivatOS, but Sawyer found a way to enable it. SGP Chief Security Officer Dan Ford explained in a blog post that, in the first run of Blackphone releases, ADB had been merely disabled rather than removed entirely in order to get the phone ready for production.
"Turning ADB on is not a vulnerability, as this is part of the Android operating system," Ford wrote. "We turned ADB off because it causes a software bug and potentially impacts the user experience; a patch is forthcoming."
Sawyer tweeted that he disagreed.
The second of Sawyer's vulnerabilities had already been found and was patched Aug. 1. Sawyer's own Blackphone hadn't been updated, so the bug still existed on his device. It would have let attackers install malicious apps on a Blackphone, and then use those apps to gain heightened privileges.
The third vulnerability, however, was the real deal: a previously unknown flaw. Sawyer won't publicly describe the bug, and hasn't yet disclosed it to SGP, because he "want[s] to know the full extent before disclosing," he told me via Twitter. However, he added that the third bug is "extremely low-risk."
Physical access to a Blackphone is needed to exploit the flaw, making it somewhat more difficult to pull off.
"Nonetheless, we have a vulnerability, and it is important to Blackphone to resolve this vulnerability fast," Ford wrote in a followup post.
Blackphone was initially a bit slow to respond to Sawyer's findings, which prompted him to print a T-shirt proclaiming his hack. As the news spread, many people began to overhype Sawyer's findings. Sawyer himself took to Twitter to correct them. He even had some choice words for BlackBerry fans who argued that BlackBerry was more secure than Blackphone.
Sawyer and SGP are still in contact as Sawyer continues research on the third bug. Ford said SGP will release more details once it is patched.
- Best Antivirus Software 2014
- Pwnie Awards Celebrate Security Wins and Epic Fails
- 9 Tips to Stay Safe on Public Wi-Fi
Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.