1. morfinpower's Avatar
    Even devices built with a security focus arent immune to vulnerabilities. The makers of the Blackphone, one of the most security-concerned smartphones on the market, announced yesterday that independent researchers discovered a vulnerability in the device earlier this year. Successful exploitation would have allowed an attacker to send and receive text messages, see phone call statuses including the number dialed and register a call forwarding number without a victim even realizing, according to*a blog post*from researchers at cybersecurity firm SentinelOne. Now patched, the vulnerability exploited an open socket once used to communicate with the Nvidia Icera modem.

    This isnt a vulnerability that just anyone could exploit or find, but the fact that it existed in a high-end market device in the first place emphasizes just how likely it is that at least some vulnerability exists in all devices. The challenge for device manufacturers is finding the bugs and patching them quickly, a challenge that's given rise to a*thriving bug bounty industry. In this case, that system seems to have worked.


    "If you look at a company like Silent Circle, and what theyve done with the Blackphone [security-wise], we see that even the companies that are steadfast on security still fall victim to a potential zero-day," Scott Gainey, chief marketing officer at SentinelOne told*The Verge. However, Silent Circle didnt shy away from acknowledging the vulnerability, Gainey said. Instead, the company worked with researchers to patch and effectively get information out about the bug.

    "Vulnerabilities are inevitable," Dan Ford, chief security officer at Silent Circle, wrote in*a blog post. "It is how you react to those vulnerabilities that counts."

    In Silent Circles case, it told SentinelOnes team to file their findings through its official bug bounty program, and four months later, the vulnerability was patched. SentinelOne proceeded in publishing its findings without putting users at risk. Now, this was a best case scenario, Gainey said. Not every company responds so positively when researchers dig up a gaping security hole. "Its not uncommon to receive cease and desist letters," Gainey said. "People are afraid stuff like this is going to get out, but [they] cant turn [their] head to this. They need to be open to these researchers and their findings."


    That metaphorical head turn leaves consumers vulnerable and companies holding at least some liability. Widening the scope a bit, researchers also arent the only ones actively hunting for bugs. State-sponsored actors do, too, and with all tech companies eventually having a vulnerability in their products, it leaves a door open to espionage efforts and corporate theft. Government intelligence officers and politicians might think at least some backdoors*are necessary*to fight terrorism, but the reality is, no backdoor exists just for law enforcement or just for researchers.

    -via The Verge

    Posted via CB10
    01-07-16 03:34 PM
  2. Dunt Dunt Dunt's Avatar
    "Vulnerabilities are inevitable," Dan Ford, chief security officer at Silent Circle, wrote in*a blog post. "It is how you react to those vulnerabilities that counts."
    I think your going to find that now that BlackBerry is using Android... if they ever reach a point where the PRIV is seen as a relative product, it's going to have a number of these vulnerabilities too.... which is why Chen has already said pretty much the same as Dan Ford did.

    Agree that sticking with BB10 might be safer, but then that doesn't seem to be a long term solution.
    01-07-16 04:00 PM

Similar Threads

  1. What's the best Camera app?
    By somendra_meena in forum BlackBerry Passport
    Replies: 8
    Last Post: 12-29-18, 10:06 PM
  2. Replies: 21
    Last Post: 03-28-16, 03:36 PM
  3. Goodbye iPhone 5s, Hello Blackberry Classic
    By syler3 in forum BlackBerry Classic
    Replies: 5
    Last Post: 01-10-16, 05:09 PM
  4. Replies: 0
    Last Post: 01-07-16, 03:17 PM