Blackphone security holes discovered

A security researcher at BlackHat has sparked a “did-he-didn’t-he” Tweet-storm over the extent of an alleged “hack” of the “secure by design” Blackphone. The Twitter argument continues, with @TeamAndIRC first announcing that it only took five minutes to root the Blackphone; then backtracking on one claim because it happened on an unpatched version of Android, and noting that the second attack required user interaction.

The three items the account identifies are described as follows: (a) “USB debugging/dev menu removed, open via targeted intent”; (b) “remotewipe app runs as system, and is debuggable, attach debugger get free system shell”, and (c) “system user to root, many available”.

This post by CSO Dan Ford at Medium answers some of @TeamAndIRC’s claims.

cf.: https://medium.com/@Blackphone/f23c8e52acc1

Ford doesn’t consider the debugging attack to be a vulnerability because the Android Debugging Bridge is part of Android: “We turned ADB off because it causes a software bug and potentially impacts the user experience, a patch is forthcoming.”

That seems to leave the ability for a system users to get through to root: the details of the attack haven’t been discussed in public, but Ford promises a patch as soon as possible once Blackphone knows what’s going on.

The Register: http://www.theregister.co.uk/2014/08/11/blackphone_rooted_at_blackhat/

Heise: http://www.heise.de/open/meldung/Def-Con-22-Erste-Luecken-im-Blackphone-entdeckt-2290028.html