March 03, 2014
The new "Blackphone" smartphone may have only debuted at last week's Mobile World Congress but concerns are already being raised that it will be targeted by hackers and the NSA.
Spanish start-up Geeksphone, Silent Circle and Pretty Good Privacy announced the Blackphone at the technology exhibition in Barcelona last week, with STMicro later demonstrating its own security-focused smartphone, the Boeing Black.
Blackphone though grabbed most the attention as it is a new Android-based smartphone which is able to encrypt texts, voice calls and video chats.
The phone asks for a password and PIN when booting up, and then guides the user through the additional security options. But what is arguably most interesting about the 4.7-inch Android device, which will start from around £375 (US6 $629) when it debuts in June, is that it comes minus the usual array of pre-installed Android apps.
Instead, it runs the PrivatOS operating system, and features Silent Circle apps for anonymous search and private browsing, VPN from Disconnect and secure cloud file storage from Spideroak. It also has a remote-wipe and device recovery tool.
With users also able to restrict which apps can use their data, the phone has been publicly promoted as the “world's first smartphone which places privacy and control directly in the hands of its users.â€
Speaking shortly after the announcement, Stephen Bonner, a partner in KPMG's information protection and business resilience team, warned that the phone could be a ‘red flag' to criminals.
“The new stealth ‘black phones' target privacy-sensitive customers who want to hide below the radar of the growing surveillance of mobile communications. Yet privacy shouldn't be limited to a select few handsets for individuals who have something to hide; privacy should be default for all,†he said in an email to journalists.
“By owning a ‘blackphone' a user could become a target as it acts as a red flag to criminals, highlighting that there's something to hide,†he added.
“As the devices attract and house high value data, attackers will be inclined to break in - it's a bit like carrying family photos in a security van full of gold, when the van is targeted and raided the gold will not only vanish but the photos will probably go too, it's better for the photos to just be kept at home where nobody will look twice.â€
However, Bonner noted that as the device is targeted specifically as government agencies, most businesses would be better off doing more mundane security tasks, such as improving application and endpoint security of their mobile devices.
“Some of the threats these type of products aim to protect against aren't realistic for most users. They might be a cool gadget for wannabe James Bonds but business users need to worry a lot more about the applications on their device and the end-to-end protections they have in place."
Despite the announcement, some concerns have been raised on how secure the new Android phone really is. Writing for CITEWorld, Matt Weinberger said that hackers will likely be able to unearth zero-day vulnerabilities.
“Blackphone primarily secures data at the application level, which means that a dedicated hacker could take advantage of any given zero-day vulnerability [previously undiscovered flaw in the code] to get into your data,†he said. This essentially means that everything except the apps - including the internal hardware which communicates with phone masts - could be targeted.Â
“Your phone's basebandâ€"the device that handles negotiation with cell towers and other messy stuffâ€"is essentially a black box, with its own CPU and operating system,â€Â explained ITProPortal's Sebastian Anthony. “The baseband has complete, low-level access to your microphoneâ€"access that the Blackphone cannot mitigate against. If the NSA really wants to tap your phone, that is probably the attack vector that it would use.â€
Â
In an email exchange with SCMagazineUK.com, Webroot security intelligence director Grayson Milbourne said that the smartphone is, however, perhaps a sign that smartphone security is coming into focus.
Â
“Blackphone is designed with security first. It is built on Google's Android OS and takes advantage of encryption to keep data on the phone safe. In addition to keeping contacts and SMS messages encrypted on the device, it also offers anonymous browsing and additional data access controls.
“The phone's security might be overkill for the average consumer, and I think Blackphone will be marketed towards security firms and companies who need the extra level of data security and it's great to see a company develop a phone where security of data is the primary goal.â€