back to article Blackphone rooted at BlackHat

A security researcher at BlackHat has sparked a “did-he-didn't-he” Tweet-storm over the extent of an alleged “hack” of the “secure by design” Blackphone. The Twitter argument continues, with @TeamAndIRC first announcing that it only took five minutes to root the Blackphone* (see Bootnote); then backtracking on one claim …

  1. Christian Berger

    I wouldn't have expeced otherwise

    The Blackphone went down a wrong route. It's just a slightly modified standard phone.

    The problem with that is complexity. Mobile operating systems are orders of magnitude to complex to be secure. More complexity means more errors, and more errors mean more security critical errors.

    Another problem on those devices is that you have several instances of "binary blobs", code running with very high privileges, facing outside, but having never gone through some sort of security audit.

    If you actually want to have a secure device, you need to design it differently. One important thing is to spread out your hardware to different components connected via simple interfaces. Todays mobile phones often have their GSM/UMTS/LTE baseband connected via shared memory or USB, this means that once the baseband is is compromised it's plausible it can attack the application processor, and therefore read out all the keys... or just fake the display.

    If you had a simple high speed serial port running a much simpler protocol like PPP, this becomes so hard it gets implausible.

    You could have each function of your mobile phone done by an independent microcontroller. The software running on each of those would be simple enough that it would be essentially bug free, so it wouldn't need to be updated. Simple protocols could reduce the attack surface even more.

    Without any need to update your software, you could just embed your electronics in transparent resin with a bit of glitter. That would even make the hardware tamper evident.

    Then you could greatly simplify the software architecture. Since it'll always be possible to get keys out of your device, and since the CA concept of TLS is severely broken, you could just limit the communication of your device to a single server you own yourself. Since you can exchange the key in advance, you can simply use symmetric encryption. Securing a server is much easier than securing a device that's inside your pocket.

    1. Anonymous Coward
      Thumb Up

      Re: I wouldn't have expeced otherwise

      Only the principles I've been using my whole life when it comes to any kind of engineering (hw/sw/systems/security/whatever). It makes the formal verification so much easier and with security, that's a definite plus.

    2. Daniel Palmer

      Re: I wouldn't have expeced otherwise

      >Another problem on those devices is that you have several instances of "binary blobs",

      >code running with very high privileges, facing outside, but having never gone through

      >some sort of security audit.

      Which binary blobs on Android face outside?

      >If you had a simple high speed serial port running a much simpler protocol like PPP,

      Why does that help at all? If you can exploit USB drivers to take over the screen why couldn't you exploit the PPP daemon running the link between the application processor and the baseband.

      >this becomes so hard it gets implausible.

      How? The only way to totally avoid not having the baseband fiddle with the applications processor is to not link them at all... which makes your phone a bit useless. As soon as you link them up you have hardware and software components operating the link that can be exploited. Changing the type of link doesn't change that.

      >You could have each function of your mobile phone done by an independent microcontroller.

      >The software running on each of those would be simple enough that it would be

      >essentially bug free, so it wouldn't need to be updated.

      *essentially bug free* .. so not bug free. So still has potential to be exploitable. So back to square one.

      >Simple protocols could reduce the attack surface even more.

      Even simple protocols go through complex layers of hardware and software.

  2. SteveB299
    Facepalm

    Miss Quoting

    I wonder what type of price she'd offer you for a Blackphone?!

    1. This post has been deleted by its author

  3. Anonymous Coward
    Paris Hilton

    Is he sure?

    "Hey BlackBerry idiots, stop miss quoting me on your blogs. Your phone is only "secure" because it has few users and little value as a target"

    If we believe another article on El Reg, those "few users" seem to be people rather high up in certain organisations (governments, banks and the like) who might be seen as quite valuable targets. I would have expected a security researcher to point to actual evidence of insecurity, not, you know, resort to abuse.

    Paris, because of her expertise in securing sensitive data.

    1. Anonymous Coward
      Anonymous Coward

      Re: Is he sure?

      There's also the issue of binary blobs that are critical to BlackPhone's security (see C. Berger's post above) yet are not controlled by BlackPhone.

      No. 1 security rule: you must have control over all aspects of the platform including all of its software. If you don't you then you can't very claim that it's secure. I picked my words carefully; control doesn't necessarily mean having the source code. The right sort of commercial agreement with the source code owner could be adequate control. But it's not obvious or certain that BlackPhone have such an arrangement with (presumably) Google. If a flaw is found in one of those blobs then presumably they'd have to persuade Google to fix it.

      However Blackberry do control everything on their platform, both hardware and software. So for that matter do Apple, and MS sort of does too (they've defined a hardware standard to which manufacturers have to conform in order to get the binaries from MS). It doesn't guarantee that any of them have got it right, but it does mean they can fix problems easily once they're found.

      BlackBerry in particular have a large number of official accreditations for their entire offering (BES all the way through to handsets) from various bits of the US and other governments. Whilst the worth of all that accreditation may be debated, there's no doubt that BlackBerry's offering has had more independent (i.e. not done by BlackBerry) assessments than has BlackPhone.

      Another point - BlackBerry's "few users" is a far larger number of owners than Blackphone.

      1. Anonymous Coward
        Anonymous Coward

        Re: Is he sure?

        Among all that waffle you appear to have confused operating systems with a product based on a particular OS.

        With all that marvellous control Blackberry, Apple and Microsoft have over their products i'm sure everyone feels that are totally secure. No backdoors or anything like that the NSA could use, completely secure. Not.

        Still, known vulnerabilities are always better than unknown although it looks bad if they are found on a product you sell based on security.

      2. Anonymous Coward
        Anonymous Coward

        Re: Is he sure?

        "No. 1 security rule: you must have control over all aspects of the platform including all of its software."

        Well then, under that rule, a secure mobile device is impossible for two interrelated reasons: standards-essential patents and trade secrets associated with them at the hardware level. You can't work around the patents since they're standards-essential yet the holders insist on NDAs and other black-box crap because their trade secrets are as good as gold to them.

        So you're faced with a no-win situation. The black-box tech is required to essentially BE a mobile, yet that black box itself becomes a potential intrusion vector. And there's still the untapped market waiting for SOMEONE to jump in. So all roads lead to evil: even walking away (because it means you lose the market and your reason for existing). What now?

  4. Anonymous Coward
    Anonymous Coward

    Remember it's a v1..

    Personally I have more problems with the company than with the product, I think the blackphone as concept is a viable idea and I am reasonably confident it will eventually be a solid product that may even withstand independent examination. What has come out is a v1, and I fully expected that it would have problems and mistakes - now they can go and fix them.

    For the product, my usual rule applies: I don't buy something like that new, but give it a while to mature.

    However, the /company/ is what worries me. All the development is done in the US - I leave the implications of that up to the reader. I cannot trust it..

    1. Anonymous Coward
      Anonymous Coward

      Re: Remember it's a v1..

      "For the product, my usual rule applies: I don't buy something like that new, but give it a while to mature."

      Well, buying a v.1 of something is fine so long as there's a decent prospect that the initial flaws will get sorted out. And so long as it functions more or less as required. And so long as you don't actually need it to fulfil the ill-defined promises like "it's secure" (especially if it turns out not to be).

      Blackphone has a bit of a problem. They're either aiming at a concerned ProSumer market (which isn't very big and is the sort of person who is horrified by the Android Anarchy), the consumer market (which is very large and is the sort of person who generally doesn't give a damn about security when they buy a phone), or the professional market (which is again fairly small but is very, very fussy).

      The concerned ProSumer will just as likely consider getting an iPhone or, dare I say it, a WinPhone or even a BlackBerry. If one is content with the idea that Apple might be rifling through your stuff but probably no-one else (except some branches of the US government), really, what's wrong with an iPhone (from a security point of view)? They just don't want their stuff nicked by some dodgy malware delivered by the official app store or a nasty email / IM / whatever.

      The consumer won't care but might be swayed by the name, and case colour and the bling.

      The professional market is going to weigh Blackphone against the likes of MS, Apple, Samsung Knox and BlackBerry and almost certainly find Blackphone short of credibility. They cannot afford to risk buying a v.1 (or .2 or .3 or .anything) unless there's a whole bunch of accreditation paperwork to cover their arses when it gets hacked.

      Which leaves them with the enthusiast as a market, but that's not very big really and certainly won't get them credibility in any other market.

      Another thing I'm not sure of. Picking Android as the starting point from which to build a secure OS is surely the hardest possible starting point. They'll have to polish that particular security turd an awful lot before anyone trust its shininess.

  5. Anonymous Coward
    Anonymous Coward

    Another thing I'm not sure of. Picking Android as the starting point from which to build a secure OS is surely the hardest possible starting point. They'll have to polish that particular security turd an awful lot before anyone trust its shininess.

    Well, long ago one likened the use of Windows to building a prison out of merengue (and IMHO is hat remained that way), but you'll find plenty of people who are willing to look past the flawed foundations to push their warez or cult (the latter because they are so hooked on confirmation bias that mere facts won't serve to change their minds).

    Here you have a platform which alleges to be "open" from a setup that promised to "do no evil". The mildly worrying detail that said outfit is also one of the biggest data collectors in the world is happily overlooked, and the sheer fact of mentioning that will cause a rash and verbal diarrhoea amongst the fanatics.

    Personally, I think the only mobile platform that has the proper underpinnings to be VERIFIABLY secure is QNX, which happens to be the base of Blackberry's new OS, but that too can only acquire trust if every single byte of the code is publicly exposed and has been independently verified by people who know what they're doing, and who are not subject to political leverage to "overlook" certain aspects of the code. That presently more or less rules out anyone of US origin - they have many *extremely* good security specialists, but they have to work in a framework where discussing security can land them in jail. Not a terribly good foundation IMHO, and a very sad development.

    Anyway, let's sit back and see how they handle this breach. I'm especially interested in how they are going to spin that one after the announcement of their deals with various organisations who are now basically caught with their pants down. As far as I know, that's now twice in a row for Vertu, who don't know that they have another problem coming..

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021