Making Privacy Great Again (?) – The Blackphone Story – Part 2 – Ride on Time

(to those who miss, here is part 1…)

Everyone wants to be secure, or so it seems, and that what makes the whole story of Silent Circle so sad. A group of extremely talented people (Phil Zimmerman (PGP), Jon Callas (Apple, OpenPGP), Mike Kershaw (Kismet) etc.) gathered and created Silent Circle… and developed phone that will be secure and focus on your privacy. The first phone, the Blackphone 1 was too slow and too restrictive, so Blackphone 2 came along and provided a much-needed boost in terms of usability and performance to clients who want to have a phone that gives them android experience. Blackberry did the same when they decided to ditch their own OS and move to the android domain, and … both seems to have failed to gain substantial market share. But don’t blame the players, blame the game – we live in a world where people talk about privacy like Trump is talking about America – endless use of slogans which are driven by personal motives.

Back to Silent Circle. Sean Gallagher have written an article in ARS Technica on Silent Circle in July 2016, and it was a very sad article. Seems that the company have been facing severe changes – the core security team no longer works for the company, and it seems that their support has been diminished. And then came January 2017, and all hell broke loose. At the end of 2016 Blackphone 2 phones started to appear in the grey market, for very cheap. Instead of 600 dollars/euro/pounds they were sold for as little as 100 dollars/euro/pounds. When Silent Circle discovered it, they went furious. Not only they were being misled into buying the shares of Geekphone in the joint venture because they been told they have 250,000 units which were ordered, devices started to appear in the market for a fraction of the listed price. What they did? They decided to kill them. As was written on January 28th in ARS Technica, in order to fight unauthorized sellers, all machines who were connected to the internet did what they always do – check for update, and the machines which had a blacklisted IMEI got an update that turned their phone into a demo unit.

Which brought me into the picture. I always like challenges, and since I couldn’t find anyone who solved the problem I decided to try. As I’ve written in the introduction, I never really did mobile security hands-on. Sure, I hired pen-testers to check the quality of applications our organisation was developing, and I knew the first editions of android were almost as secure as windows 95 was – but that’s it. I never investigated deep into mobile security perhaps mainly because I was focusing on awareness so much. But hey, I was about to end up an assignment in my previous employer and now I wanted to try something different. So here we go… two units come to papa…

Passive Reconnaissance

While waiting for the units to arrive I decided to do some information gathering. Trying to gather information about the Blackphone 2 was a pain in … Silent Circle has close to zero information on how they secured their phone. The only real security review I was able to find was here:

Part 1, Part 2, Part 3, and even a warning not to own the device.

After reading that, why would anyone want to buy the phone? The fact Silent Circle did not answer the questions being asked by the person who wrote these articles is really sad, especially if you consider the talent team that created the phone. Jon Callas said in a 2015 interview to “security weekly” that “This is an android phone that comes out of the box set up the way Mike Kershaw would set it up for you. That is in fact what you’re paying for, is that Mike Kershaw has set up your phone”, and also “The real thing that you’re getting from us is that we’re updating the software. We have fixed every major bug that has come out in Android or any subsystem in 72 hours.

I was extremely curious to find out who was manufacturing the phone to Silent Circle, and what parts of it were outsources. A long, long time ago (before some of you were even born) I worked as a hardware analyst and had the opportunity to work with the far east manufacturers, so I decided to look for the parts. Repair centres need to repair phones, and China is selling the parts, and Aliexpress is a great place to look for. Indeed, I found the screen replacement here, and a quick google image search showed me that it is identical to the screen being used in a mobile phone called Aquaris M5.5 (link to replacement screen here) by a Spanish company called BQ. Now, if you consider the fact the original joint venture that created the original Blackphone 1 was with a Spanish company called Geeksphone it is easy to see this is the two phones carry the same spec …

This was a good sign. I now had two phones which seems to have the same spec, so it could really help me to figure out what was done to secure the phone. Or so I hoped…

There were some videos online, but no teardown of the product, or security analysis of the firmware.

My tasks seemed obvious to me:

  • Find a way to prevent the phone from bricking itself
  • Learn about the security hardening as much as I can
  • Find ways to see if I can make the phone more secure and more private oriented
  • Try not to get kicked out of the house while doing it

Two phones have arrived. One been kept pristine clean without being touched, the first one was about to get hammered by me…

Part 3 will follow soon…


One thought on “Making Privacy Great Again (?) – The Blackphone Story – Part 2 – Ride on Time

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s