a BlackBerry blogger at N4BB leapt on one of Sawyers tweets and wrote a story with the erroneous headline, Blackphone Rooted Within 5 Minutes. By the time Sawyer was presenting on Sunday at Def Con with Tim Strazzere, the story had been picked up by a number of blogs and websitesand nearly all of them didnt bother getting further details from Sawyer or Blackphone.
In a conversation with Ars, Sawyer said that the hack required three vulnerabilities in allone that is a lower-threat vulnerability to a wide range of Android-based devices and has not yet been fully disclosed. Additionally, he said, the rooting of the Blackphone required that the attacker:
- have physical access to the phone and connect it to a computer via USB,
- configure the phone against Blackphones set-up recommendations,
- not install encryption on the device,
- ignore an unknown application source warning, and
- have the phones PIN code.
In other words, to hack the Blackphone, the hacker would have to have either obtained it from a very naïve user or bought the phone himself.
One attack, demonstrated at Black Hat by Mathew Solnik and Marc Blanchou, used the embedded over-the-air management interfaces used by wireless carriers to perform carrier-pushed configuration updates. They were able to gain root access to BlackBerry phones, as well as some Android phones and the Sprint configuration of some iOS devices. The devices most vulnerable to the attack were the BlackBerry Z10 and the HTC One M7.
The attack takes advantage of the machine-to-machine (M2M) interface used by carriers to do remote provisioning of the phone when its purchased and to push out communications updates. The interface is part of the baseband configuration of the phonesit leverages the baseband processor, which is the system-on-chip that handles the connection to cellular networks. On some devices, the baseband chip can access local storage and memory used by the smart phones operating system and be used to gain root-level access.
At Def Con, Ars talked with Jon Callas and Dan Ford about the baseband question. Callas said that the baseband processor in the Blackphone, which is made by Nvidia, has no such access to the memory and storage used by PrivatOS. Its completely segregated, Callas said. Blackphone is looking at ways to provide an audit of the phones baseband code to assure users that the cellular modem cant be made into what amounts to a hostile router, but we assume that its a hostile router in the way we developed PrivatOS, Callas added.