Earlier this month, researchers at endpoint security firm SentinelOne discovered and mitigated a vulnerability in the Silent OS, the operating system for the encrypted smartphone known as the Blackphone, which is generally considered one of the most secure smartphones available today. The discovery reveals that no matter how secure a system is designed to be, it remains vulnerable to hacking.
Homeland Security Today reached out to Tim Strazzere, Director of Mobile Research at SentinelOne, to shed light on the details behind a zero-day vulnerability in of one of the most popular, private smartphones and what that means for the cybersecurity sphere.
Strazzere said SentinelOne is transforming security with a next-generation Endpoint Protection Platform (EPP). The company has developed a next-generation antivirus replacement platform that protects organizations against advanced threats initiated by nation states, terrorists, and organized crime.
"The need for effective endpoint protection has never been greater,” Strazzere warned. “Endpoints represent a broad swath of computing devices – including laptops, desktops, servers, mobile devices, embedded devices, SCADA [supervisory control and data acquisition] systems, and even IoT [Internet of Things] devices. These endpoints connect and access data, literally from anywhere, and they are the weakest link into the enterprise.”
SentinelOne’s research team, which continuously looks for and reverse engineers zero-day malware and exploits, discovered the Blackphone vulnerability during a Red Naga training session at Defcon, the world’s largest underground hacking conference. Strazzere said the bug was not difficult for SentinelOne’s researchers to find, since the company performs the same steps to uncover similar vulnerabilties.
The bug affected a third party modem, the nVidia Icera, which is used in the Blackphone and a few other older Android devices in India. Strazzere says more mainstream modems manufactured by Qualcomm and Mediatek, which account for the largest share of devices, were not affected by this vulnerability.
The vulnerability would allow an attacker to take control of many of the modem’s functions, including the ability to send and receive text messages, see phone call statuses — including the number dialed — and register a call forwarding number.
Strazzere commented that the total number of users affected is unknown. He also said, “There is no evidence that anyone has found or exploited this vulnerability in the wild. However, the vulnerability is somewhere between medium and high. This is based on what attackers could do if they leveraged the attack vector; but it’s not high to critical since the attack cannot be remotely executed.”
The vulnerability that was uncovered on August 8, 2015 was marked as resolved on November 2, 2015. Patch 1.1.13 RC3 included a fix for the issue and was released by SilentCircle on December 7, 2015. SentinelOne collaborated with SilentCircle on the issue through the Bugcrowd bounty program. The discovery of the vulnerability in one of the most secure devices on the market serves as an important reminder that nothing is completely secure.
“The assumption should be that nothing is really secure,” Strazzere said. “It is this reality that’s fueling us at SentinelOne to create an entirely new approach for protecting endpoints from exploit-based threats as well as malware.”
“Even the most ardent manufacturers who pride themselves on security fall victim to vulnerabilities,” Strazzere added. “It’s a reality we must face within the security industry, as well as within the manufacturing community to ensure we maintain diligence when it comes to development practices.”
Cognizant of the reality that nothing is safe from hacking, Strazzere says the key is to minimize exposure from third party technology (hardware, drivers, software libraries, etc.) used in today’s devices, which make detecting and remediating security flaws more difficult than ever.
“As we continue to add more functionality to our mobile devices (commerce, payment systems, SCADA control, etc.), the frequency and impact from vulnerabilities increase,” Strazzere explained. “Mobile devices must be equipped with security that can protect against advanced attacks. Few devices today are deployed with endpoint security technologies that can protect against exploit-based attacks, or sophisticated malware-based attacks.”
He added, “In this particular instance, we’re talking about a zero-day vulnerability, which is a different attack vector, an exploit-based attack that would not be detected by most antivirus and anti-malware packages.”
Mobile malware is an increasingly pernicious threat. Homeland Security Today recently reported on a recent rise in mobile malware, particularly the mobile banking Trojan families Android/OpFake and Android/Marry. McAfee Labs researchers, in collaboration with other partners, discovered 56 million sets of unprotected data containing sensitive information, such as full names, email addresses, passwords, photos, money transactions, and health records.
McAfee Lab recommends that users download mobile apps only from well-known app stores and avoid apps from unknown sources—including SMS messages and email, which, according to Strazzere, is how mobile malware could have gained access to the Blackphone.
