Wednesday, 28 January 2015 11:13

Silent Circle Text App Gets a Fix for a Serious Memory Corruption Flaw

Written by

Reading time is around minutes.

Privacy and security in consumer electronics is (and has been) a big deal for a number of years although most consumers are not aware just how vulnerable they are. In most cases the lack of security is due to a lack of any real standard between devices combined with massive growth in the connected device market. For far too many years cellular communication has been left vulnerable while the market boomed. The same can be said for the phones and devices we use to communicate. These have so many holes and flaws in them that it is almost comical.

Now that is only part of the equation as even when someone intentionally creates a product to be secure a mistake or other lapse can leave it just as open as every other device on the market. This is what security researcher Mark Dowd, founder of Azimuth Security found when he was playing around with a newly purchased BlackPhone. He found that even in a device as secure as the BlackPhone is supposed to be there was an issue with the SilentText that could leave users very exposed.

The flaw, which has already been patched, was a memory corruption issue that could allow for arbitrary code execution on the target device. This would allow the attacker to do all sorts of bad things including decrypt text messages, read contacts, gather location information, and even write to storage on the phone. The flaw was serious enough that all an attacker would need is the phone number or Silent Circle ID. The bug appears to exist in all versions of the SilentText app making it extend beyond the realm of the BlackPhone.

Both Silent Circle and SGP Technologies (makers of the BlackPhone) have an open bug bounty program which helps them find and quick fix bugs in their apps and devices. Since their introduction a total of 37 bugs have been found and fixed in Silent Circle apps while the BlackPhone has had a total of 25.

We have said it before and we will say it again: there is no such thing as a completely secure product Be careful out there, even using supposedly “secure” devices.

Tell us what you think

Read 4722 times Last modified on Wednesday, 28 January 2015 11:17

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.