World’s most ‘NSA-proof’ phone vulnerable to simple SMS hack

A smartphone marketed as the most anti-surveillance, NSA-proof personal device – the BlackPhone – has been found vulnerable to a simple SMS attack that allows the hacker to steal contacts, decrypt messages, and even take full control of the device.

The super-secure smartphone comes loaded with applications ensuring encrypted communication, text messaging, video conferencing, and secure online storage. The bug came in a prepackaged Silent Text secure text messaging application that comes along with the BlackPhone. It is also available for download for other devices in Google Play.A “serious memory corruption vulnerability” discovered by Mark Dowd of the Australia-based Azimuth Security, has already been fixed after the analyst privately disclosed the glitch to developers.

Before the application was patched, an attacker would need nothing more than the phone number of the target device.

By sending a specifically designed payload to the victim through the Silent Text application, the attacker could inject malicious code that would inherit the privileges of the secure app – thus gaining the ability to decrypt text messages, gather location information, read the phone’s contacts, and write to the external storage.

“Successful exploitation can yield remote code execution with the privileges of the Silent Text application, which runs as a regular Android app, but with some additional system privileges required to perform its SMS-like functionality such as access to contacts, access to location information, the ability to write to external storage, and of course net access,” Dowd explained to The Register.

The BlackPhone – which comes with a hefty price tag comparable to that of the latest iPhone – runs a modified and locked-down version of Android called PrivatOS. It is being marketed as the only end-to-end encrypted communication device. Dowd has challenged that motion.

“They aim to combat mass-surveillance by relying on encrypted phone calls and messages by default, which is an effective counter-measure, but I wanted to evaluate those solutions from an application security standpoint [and] by that I mean I wanted to see how robust their implementations were against targeted attacks, and evaluate any additional attack surface they might expose,” he said.