A vulnerability was discovered in Silent Circle’s Blackphone, a device that has been touted for its commitment to extreme privacy. The security flaw, found by security researchers at SentinelOne, could provide attackers with the ability to send and receive text messages, listen in on calls, and control other functions of the phone remotely.
The issue, which only affects the Blackphone 1, was fixed by Silent Circle in early December. The speed of the fix, however, is troublesome to some Silent Circle customers. The company promises to repair critical bugs within 72 hours of verifying them, but in this instance, it took 1 month from when Silent Circle confirmed its existence, and 2 months from when it was first reported.
Silent Circle says that anyone with a Blackphone 1 who has updated their software since early December should be protected from the bug now. There are no reports of any attacks on phone owners — just the discovery of a flaw that had the potential to cause a lot of damage.
What Silent Circle is Doing to Stay Ahead of Blackphone Attackers
Silent Circle’s Chief Technology Officer and co-founder Jon Callas spoke with Security Ledger about the Blackphone 1 flaw and what the company is trying to do fix future bugs. He said his internal security team is going back in to look for other, similar vulnerabilities. The company will also continue to use its successful bug reporting platform where independent researchers are encouraged to find — and report — bugs for a monetary award.
“Every one of us has some device with a serious bug that we don’t know about. But if it is fixed before it can be exploited, that’s like the tree that falls in the forest when there’s nobody to hear it,” said Callas.
Silent Circle’s entire business model revolves around privacy and security. When it comes to their newest phone, the Blackphone 2, it has been built from the ground up to be private by design. The phone’s Android-based operating system, Silent OS, is “free of bloatware, hooks to carriers, and leaky data.” The device comes preloaded with Silent Circle’s apps, as well as third party apps that enable private, encrypted communication. Users are in control of their own privacy settings and can decide the level of access each app receives.
Even with Silent Circle’s commitment to security, it will be interesting to see if hackers are able to find and exploit a flaw before the company can fix it. Fighting for privacy is a constant battle and hopefully, Silent Circle is up to the challenge.
Image courtesy of Flickr user Jon Callas.