“Two
mobile Black Hat talks were 1000 times more impressive and scarier than my
disclosure,”
CTO of Applied
Cybersecurity LLC Jon “Justin Case” Sawyer tweet about Blackberry
Vulnerabilities unveiled at BlackHat in an interview with Ars Technica
regarding the alledged Blackphone hacking fiasco at DefCon
Turns
out that the Blackphone, which was as being one of the most secure Android
smartphones on the planet, isn’t really all that secure.
Based
on an initial assessment of the article “The world’s
most secure Android phone gets rooted in just 5 minutes”, published Aug 11,
2014 at 11:30 AM by Brad Reed, BGR, the
Blackphone allegedly got hacked in less than five minutes by CTO of Applied
Cybersecurity LLC Jon “Justin Case” Sawyer who goes by the twitter handle of
@TeamAndIRC.
But
as it turns out, Blackberry is being a bit defensive on this one, as their
Blackberry smartphone has even more serious vulnerabilities that have been
unveiled at the BlackHat Hacker’s Conference.
So
what the real story here?
Turns
out it’s Blackberry, as they have a secret to hide: their Blackberry can be
hacked OTA (Over the Air) as explained in “Blackphone
goes to Def Con and gets hacked—sort of”, published Aug 12 2014, 2:07pm EST
by Sean Gallagher, ArsTechnica!
Alledged Blackphone
Hack – SGP Technologies meets Justin Case at DefCon
SGP
Technologies, a 100 man start-up company that make the Blackphone, had sent a
delegation to the Def Con Hackers Conference. They actually came into the
Lion’s Den with the intent to stir up trouble by seeing who could hack their
month-old smartphone, the Blackphone and thus prove via inviting hackers to
make an attempt that their smartphone was secure.
They
sent a delegation comprising of Silent Circle CTO (Chief Technology Officer)
Jon Callas and his sidekick SGP Technologies Chief Security Officer Dan Ford in
a bid to basically sell some Blackphones. After all, what better place to get something
for your product than at a conference full of the very same people who'd want
to test the security of your product.
Sure
enough, they got a few curious onlookers who came by the booth, looking at
their product offering, asking questions. But when CTO of Applied Cybersecurity
LLC Jon “Justin Case” Sawyer, sauntered by their table and calmly declared that
he'd rooted their precious new baby, you could hear a pin drop in DefCon.
That's
when the Drama went down......or didn't actually happen, depending on how your understanding
and perception of conversations and Body language works.
Jon
“Justin Case” Sawyer had just purchased his Blackphone sans an OTA update, as he chose not to enable its connecting to
Wi-Fi, as at DefCon, that would be an invitation to getting hacked. So he'd
waltzed up the Blackphone booth and in his exchange to the people at the
Blackphone Booth, he explained the three vulnerabilities of the Blackphone
system. However, the Blackphone vulnerabilities were already well known within
the DefCon community as so were the Blackberry's which I’ll get to later.
Because
Sawyer hadn't downloaded the latest patch for the Blackphone, he's not known
about the fact that Blackphone had already fixed the vulnerabilities the
Blackphone had. So when he have them his view on the phone's vulnerabilities to
hacking, this problem had ALREADY been solved by SGP Technologies
Also
it's good to note here that in order to demonstrate a hack, he'd have to have
the phone physically in hand WITH the PIN (Personal Identification Number) for
the phone as well as a USB Cable and a Laptop handy.
This
suggests that the hacker would have to use some aspect of Social Engineering to
persuade the person to hand over their phone and that vital bit of information
i.e. just simply stick them up with a Gun or knife or other weapon to get them
to give up the information.
Otherwise,
it would have been a phone he'd purchased himself using a process no different
from installing an Android Launcher on a smartphone as noted in my Geezam article entitled “How
to change your smartphone Home Screen and create a Personal Assistant using
Android Launchers”.
Blackphone Hack that
wasn’t- Anatomy of a Rumour started by a Pro-Blackberry Writer
So
how did thus rumour of a five minute hack get started as reported in “The world’s
most secure Android phone gets rooted in just 5 minutes”, published Aug 11,
2014 at 11:30 AM by Brad Reed, BGR?
Because
Blogger Brad Reed BGR picked up on a story
published by pro-Blackberry Blogger Lucas Atkins of N4BB who made the claim via his post in “Blackphone Rooted At
BlackHat’s DEF CON”, published August 9th 2014 by LUCAS ATKINS, N4BB. Blackberry,
in their near desperation for positive news about their product and
negative news about their competition, pounced on the story and went hog wild.
Blackberry
is clearly desperate, being as they've been scouring the internet for positive
news anywhere they can find it, even from minor league bloggers with very bad
grammar such as myself as noted in my blog article
entitled “Blackberry
blogs positive reviews of Passport as Z3 sells out in India - Blackberry
Passport may be their ticket on the Indian Express”.
But
how did pro-Blackberry Blogger Lucas Atkins of N4BB
get it so wrong, man? Possibly because he doesn’t know how to read Social Cues
and Body Language of persons in a conversation, in this case CTO of Applied
Cybersecurity LLC Jon “Justin Case” while he was speaking animatedly at the Blackphone
booth.
Possibly
in a manner similar to how news gets spread, Gossip Girl style, pro-Blackberry
Blogger Lucas Atkins of N4BB or someone known to
him tipped him off on what was going down at the Blackphone booth when CTO of
Applied Cybersecurity LLC Jon “Justin Case” stepped up, thinking they had a
solid story.
This
someone misread his interaction and reaction when he came over by the Blackphone
Booth. After that very bad reading, he probably questioned a few people on what
went down and then just published a pro-blackberry Story. Even more sinister,
pro-Blackberry Blogger Lucas Atkins of N4BB may even be on the “take” from Blackberry
i.e. getting paid to boost Blackberry's ego by writing “positive” news, even when
it wasn't the full details and from dubious Gossip Girl Style Sources!
So
using my Monk powers, here’s what happened…..
Apparently
while the CTO of Applied Cybersecurity LLC Jon “Justin Case” was at the
Blackphone booth, he made his presentation on his hack of the Blackphone, which
really took minutes, not under five as other media sources who’ve picked up the
story have claimed.
He
made his quick presentation on the Blackphone hack, again keeping in mind his
lack of an OTA update. Then someone decide to offer him a Blackphone complementary
shirt. CTO of Applied Cybersecurity LLC Jon “Justin Case” Sawyer refused the
shirt, being the polite sort of gentleman that his personality exudes by virtue
of being so forthcoming with information to Blackphone.
To
quote Jon “Justin Case” Sawyer during his recollection of the incident to ArsTechnica, quote: “The shirt was the most
impressive part of the hack, considering I had it made in minutes”.
After
all, why would his personality compel him to do so, were he not his actions
well intended? Plus he's already gotten a shirt with his purchase, a body
language posture that suggests that he was quite satisfied with his purchase
and was ok, albeit in traditional hacker style, he’d modified his existing
shirt to broadcast a different message than what was pre-written!
Good
to note here that SGP Technologies is a startup using Open Source code for
their secure smartphone called PrivateOS as well as open Source Application
provided by Silent Circle. They didn't have any bounty program, just shirts
hand out to persons who purchased the smartphone or demonstrated a
vulnerability as Jon “Justin Case” Sawyer had done in a few minutes, not five
minutes.
To
quote SGP Technologies CEO Toby Weir-Jones “Usually, bug bounties are run by
larger companies, after they've had time to really tighten down code
themselves," he explained. Curiously neither does Blackberry as one would assume
that they had one, being as they're not exactly broke”.
Someone
saw all this, misinterpreted what they saw, made a blog post, and took the
entire Blogging community for a ride, being as few with the exception of ArsTechnica bothered to recheck the facts.
Blackphone Hack – The
Social Hack that borders on Kidnapping the Victim for their PIN
How
bad is it? Well, according to the article the Blackphone is vulnerable, but not
to the extent that some in the industry would like to think.
Ok,
with that Gossip Girl Style Drama that’s straight out of hidden camera Reality
TV out of the way, how does this vulnerability work exactly?
According
to CTO of Applied Cybersecurity LLC Jon “Justin Case” Sawyer account to ArsTechnica, first you have to have the
Blackphone connected directly to a laptop via its USB Cable. Please take note
of that; you literally HAVE to have the phone and it’s PIN Number, making this
more of a modification than a Hack, really!
Then
you boot up the smartphone, enableing the ADB (Android Debug Bridge), which is
a fairly standard feature used by Android Developers to gain access to the Smartphone.
Nothing strange there, as this gives the users full access to make unauthorized
changes to the smartphone!
Jon
“Justin Case” Sawyer claims that the fact that ADB is disabled is itself a
vulnerability as by enableing full access using this default setting built into
Android, it effectively opened up the Blackphone to modification, quote his
tweet: “I disagree with [Ford’s] statement that enabling USB debugging when they
explicitly disabled the ability to do so is not a vuln”.
SGP
Technologies CEO Toby Weir-Jones, tells a different side to the story in a
phone conversation with ArsTechnica. He
claimed that ADB had to be disabled as there was a bug in Blackphone adopted
usage of PrivatOS, their modification of Android OS that is used on the
Blackphone.
This
Bug causes the smartphone to start rebooting when the phone encryption was
turned on. SGP Technologies claims that an upcoming OTA will fix that problem
and re-enable ADB, so they'd merely disabled ADB as a precaution. To quote SGP
Technologies CEO Toby Weir-Jones: “All we had done was remove the ability to
call up the developer menu. We hadn’t isolated the bug yet and had to burn a
ROM to ship the first phones.”
Still,
this must be very serious as SGP Technologies Chief Security Officer Dan Ford
began to get defensive with a Blackphone's blog post in
which he defended the move, quote: “Disabling ADB is not a security measure.
And was never meant to be — it will be returning in an OTA to Blackphone in the
future once the boot bug is resolved; the realities of getting a product
manufactured and shipped within the available manufacturing window meant a
quick fix was needed. No root or other privilege escalation was required in
order for this to be performed”
Ok,
so score one for Jon “Justin Case” Sawyer. Now back to the hack that wasn't.
Once
the Blackphone was accessible via ADB, the hack then focused on the
Blackphone’s remote wipe functionality, now clearly accessible thanks to the
fact that the Debugging option came factory-enabled. Thus a hacker could
leverage his code and increase his access to the phone's Data, including bypassing
encryption, as at that point PrivateOS would assume that he's the owner of the Smartphone.
According
to SGP Technologies, an OTA had been issued to patch that bug before his
disclosure. So score one for SGP Technologies, especially as Jon “Justin Case”
Sawyer Blackphone Wi-Fi while he was at DefCon hadn't been enabled, hence he'd not
have known about that update and thus spoke without having full knowledge of
what was going down.
But
the stickler for me, dear reader, is the last part of the hack, which now takes
advantage of the now administrator-level access the hacker now has to the
smartphone. As described by Jon “Justin Case” Sawyer, it is, quote “really
impractical to hit, and very hard, and very low risk”, suggesting that this is
not only a new vulnerability, but implies a level of skill on the part of the
hacker to implement. Worse, SGP Technologies hasn't patched the Blackphone for
that vulnerability, suggesting that it's STILL hackable....once you've gone
through all the steps of course!
Game
set match as clearly CTO of Applied Cybersecurity LLC Jon “Justin Case” Sawyer
blow-by-blow account on his Twitter feed is not only factual, but absolve him
of this 5 minute wonder.
Kidnapping App Needed –
Hackable only AFTER being kidnapped and divulge PIN at Gunpoint
The
hack couldn’t have been done under five minutes as advertised, but could only
be conducted under extreme duress, not OTA attack via a Femtocell or a
grab-and-run scenario. Assuming that the situation is a Grab-and-run by a thief
looking to hack the smartphone, the Blackphone is safe.
Otherwise
if the thieves are more like kidnappers, then once they have the level of
expertise, they can hack the Blackphone and retrieve all its data.....AFTER
they've forced the victim to cough up his PIN Number. So it’s hacker proof like
any typical smartphone, not
kidnapping-and-then-forced-to-cough-up-the-PIN-Number-under-duress proof.
Hopefully
the Blackphone has a kidnapping Mode similar to the Samsung Galaxy S5 Emergency Mode to send information so that I can get
rescued as explained in my blog article
entitled “Introducing
the Samsung Galaxy S5 – 16 Megapixel Camera with Fingerprint Scanner and
Fitness Tracker is Improved Fun Experience in a better Business Suit”.
Otherwise High profile Executives working in, say, a Weapons Contractor might
turn their noses up at this smartphone.
Blackberry exposed at
BlackHat - Blackberry sweating but Long Hair Positive News hide it
So
it’s becoming Crystal Clear to anyone that reads this redacted story.
The
Hack that wasn’t was the Blackphone as reported in “The world’s
most secure Android phone gets rooted in just 5 minutes”, published Aug 11,
2014 at 11:30 AM by Brad Reed, BGR.
There's
a deeper story here though: the lack of serious Developers for Enterprise Grade
Applications and Operating Systems and why they don’t make Apps for these
former clients of Blackberry.
But
there’s an even more troubling story that’s sure to sink the upcoming Passport
and Blackberry’s reputation as being unhackable and having Enterprise Grade
Security. The real hack, however, took place over by BlackHat, and involved the
Blackberry!
Blackberry
is susceptible to a Baseband Processor Attack as demonstrated by at Black Hat
by Accuvant research scientists Mr. Mathew Solnik and Mr. Marc Blanchou. They
took advantage instead not of vulnerabilities in the Operating System but in a
universal problem in the firmware of most Smartphone, that being the OTA
interface used by Wireless Carriers to perform updates.
This
as all Cellphones use a Baseband Processor a SOC (System on a Chip) used to
mediate interactions with the Cell Towers of a particular Carrier and perform
OTA updates. Surprisingly on some smartphones, the Baseband Processor can
access the SSD Drive and SD Card and even gain Root access to the smartphone,
making any hack of the Firmware give the hacker total control over the
smartphone.
But
how did the Accuvant research scientists Mr. Mathew Solnik and Mr. Marc
Blanchou at BlackHat perform their Baseband Processor Attack?
Basically
the hackers tricked the smartphone by using a Femtocell, which is a mini-portable
cell tower as described in my blog article
entitled “When
in Roam (ing) carry a attocell - SnapDragon and The Tourist” as
demonstrated in the video below!
This
Femtocell was basically used to trick the smartphone's firmware into thinking
that it was connecting to a legitimate Cell Tower to then send the Smartphone
an OTA Update. This OTA Update basically made modifications to the Smartphone
that would allow a hacker using this duplicate femtocell or even Wi-Fi to gain
remote control of the Cellphone.
This
hack is very similar to hacking a Car by installing a software update or Trojan
virus via a smartphone e.g. an Apple iPhone acting as a vector for the virus.
Once synched to the Cars Entertainment System, it would end up accessing the
rest of the Cars as it would be connected to the Engine Management system,
which in most Cars is on a common Internal Network as described in my blog article
entitled “Automotive
Security Researchers tell CNN Money Vehicles are hackable - How Vehicle
Entertainment Systems are hacked”.
Only
in this case, it's done OTA via deceiving the Smartphone that it's
communicating with a Cell Tower and receiving a legitimate OTA Update. That OTA
update can basically be a Trojan Horse Virus and basically opens up the
smartphone like a Hard-Drive connected to a Wi-Fi Modem; once installed, the
smartphone can be remotely accessed and controlled via it's Wi-Fi Interface a
the video below demonstrates. They were able to not only gain access to Root
but also to the Configuration of some iOS devices.
Yes
you read that right......Apple iPhones!
What’s
more troubling here is that it's not just the BlackBerry Z10 that’s
susceptible. A whole laundry list of Google Android Smartphone’s such as the
HTC One M7, for example, are susceptible to this hack that takes advantage of
the Telecom Providers M2M (machine-to-machine ) interfaces used to do updates
and even services such as Mobile Money as described in my blog article
entitled “JCCUL
get's approval from BOJ to launch their JCUES Mobile Money Platform - JCUES
Mobile Money Wolverine (2013) marks the Kick-Ass 2 (2013) beginning of a
Cashless Society”.
In
fact, it may have implications for Digicel's planned launch of a Mobile Money
Service in partnership with ScotiaBank later in the Fourth Quarter of 2014 a describe
in my blog
article entitled “Digicel
to roll out Mobile Money Service in 2014 - Haiti Tcho Tcho Mobile Love is
Bringing the Boom with ScotiaBank heralds Cashless Society by 2015” as it
implies that persons can hack their phone and gain access to their Mobile Money
Accounts.
So is the Blackphone susceptible to this type
of Attack?
Apparently
not according Silent Circle CTO (Chief Technology Officer) Jon Callas and his
sidekick SGP Technologies Chief Security Officer Dan Ford, who point out that,
like the 2014 Audi, the Baseband Processor has no access to the rest of the
smartphone, quote: “It’s completely segregated”. Looks like the Blackphone
designers made sure that PrivateOS was secure enough to withstand what's
basically a hack by a femtocell that's impersonating a legitimate Cell Tower
from the Telecom Provider.
Mimicking
a Cell Tower is a Technical feat I’d pointed out was possible and may be the
source of persons being able to bypass our local Jamaica Telecom Provider
Digicel and LIME and make Phone Calls as if they were in Jamaica at local Rates
as explained in my blog article
entitled “How
US$1 Billion is lost from the USF and Telecoms Tax via Inbound International
Calling Bypass - LIME, Digicel and
Network Engineer French Connection”.
Blackberrys
are quite common in the Developing World, making hackers with the knowledge of
how to do this in Jamaica have a field day using it to steal personal
information, including pictures and Voice Notes from Blackberrys without even
touching the Blackberry.
Suddenly
Blackberry is in the spotlight as they’re the ones that are really vulnerable
here. Worse this fiasco created by pro-Blackberry Blogger Lucas Atkins of N4BB may have been Blackberrys doing to distract
attention from themselves……and the rest of the smartphone crowd.
In
fact the Blackberry Passport come September 2014 as announced in my blog article entitled
“Blackberry
Passport coming in September 2014 - Squaring up again the competition in
Portrait and Landscape Mode” may also be vulnerable to this Baseband
Attack. It’s definitely not going to be hip to be Square as this hack makes
them very oft duplicated and easily
remotely controlled via a Trojan OTA Update from a femtocell masquerading as a
real cell tower!
Why
do I feel that the Luddite Camp to which I belong as described in my blog article
entitled “The
Reason why I don't like Smartphones - Location Privacy and How to disable
Location Services on Android and iOS” is suddenly getting bigger and
bigger?
SGP Technologies
Blackphone – Survived spending a night like Daniel in the Lion’s Den
SGP
Technologies Blackphone has vulnerability, mainly in their App Store Apps,
which have to be assessed, as they can themselves create vulnerabilities making
the Smartphone hackable. Also, there a
lack of a physical switch to disable the camera and microphone, as this super
secure Smartphone can with the right hack, be turned in a tool to spy on the
owner!
This
as well as complaints about their 4G LTE Service have to be addressed. Still to
their credit SGP Technologies has shown that they're serious about security on
their much-touted month-old smartphone product to CTO of Applied Cybersecurity
LLC Jon “Justin Case” Sawyer. By merely even turning up at DefCon, they're
basically showed that like Daniel in the Bible, they can spend a night with the
Lions in their Den.....and survive.
No comments:
Post a Comment