updated 11:24 am EDT, Tue August 12, 2014
Device hacked enabling root access, SecureCircle apps unaffected
The "super-secure" Android Blackphone has been hacked by an attendee at the DefCon conference. In less than five minutes, the Google-backed device surrendered root access without unlocking the Android bootloader. Initially contested by the manufacturer, the company, Geeksphone, later thanked "Justin Case" for pointing out the flaw.
The Spanish company, headquartered in Madrid, that specializes in the development, promotion and commercialization of "open source" mobile telephony solutions. Geeksphone became the first European brand to launch an Android smartphone in 2009, and launched the world's first Firefox OS-powered smartphone in 2013.
The combined initiative is spearheaded by notable figures in the security industry, including Phil Zimmermann, creator of PGP; Javier Aguera, co-founder of Geeksphone; Jon Callas, co-founder of PGP Inc. and CTO of Silent Circle; Rodrigo Silva-Ramos, co-founder of Geeksphone; and Mike Janke, CEO of Silent Circle and former US Navy SEAL.
Blackphone runs PrivatOS, a heavily forked version of Android. The device started shipping to users in June. While the flaws expose the phone's operating system to attack, the Silent Circle application security remains unbroken.
The attack exploited a flaw in Android itself, which enabled the hacker to enable the Android Debug Bridge (ADB). The ADB is a command-line tool which allows developers to communicate with an Android device at a Kernel level. This can be used to install a variety of exploits if enabled on a phone.
"We are under the impression that this vulnerability affects many OEMs and not just Blackphone. When the vulnerability becomes public, we will implement the fix faster than any other OEM." said Chief Security Officer Dan Ford of the vulnerability.
Provoked by BlackBerry fans on Twitter, tweets from "Justin" now say that he is looking to break the security of BlackBerry 10 next. He is focusing on a flaw discussed at the DefCon conference with the Open Mobile Alliance Device Management protocol and other deprecated encryption methods.