Text Messaging Featured Article

The legacy of Edward Snowden lives on, and since his revelations of mass surveillance on the part of the National Security Agency (News - Alert) rocked the tech world, privacy has been top of mind for many consumers and businesses. A crop of communications services offering end-to-end encryption (and therefore protection from the prying eyes of the government) have debuted in the post-Snowden era, including the highly touted Blackphone. One problem though: Azimuth Security researchers have uncovered a chink in the armor.

Blackphone uses a “PrivateOS” that encrypts both voice calls and text messaging. But Azimuth discovered that the SilentText messaging application bundled with Blackphone contains a serious memory corruption vulnerability that can be triggered remotely by an attacker and be used to decrypt messages and commandeer a user’s SilentCircle account.

“If exploited successfully, this flaw could be used to gain remote arbitrary code execution on the target's handset,” the company wrote in a blog.

And, any code run by the attacker will have the privileges of the messaging application, which is basically a standard Android (News - Alert) application with some additional privileges. So in addition to reading messages, attackers can use the flaw to gather location information, read contacts, write to external storage and run additional code of the attacker's choosing (such as a privilege escalation exploit aimed at gaining root or kernel-mode access, thus taking complete control of the phone).

In terms of the technical underpinnings of the problem, SilentText provides the ability for users to send text messages and share files over an encrypted channel, which is established and managed using the 'Silent Circle Instant Message Protocol' (SCIMP). The problem is that the SCIMP implementation supplied with SilentText contains a type confusion vulnerability.

This “allows an attacker to directly overwrite a pointer in memory (either partially or in full), which when successfully exploited can be used to gain remote, unauthenticated access to the vulnerable device,” Azimuth explained.

Amping up the danger quotient, to exploit the flaw, the only knowledge required by the attacker is the target's Silent Circle ID or phone number - the target does not need to be lured in to contacting the attacker via social engineering.

Fortunately, the issue has been patched by both Silent Circle and Blackphone in both app stores and as a product update—which users should apply as soon as possible.