Even devices built with a security focus aren’t immune to vulnerabilities. The makers of the Blackphone, one of the most security-concerned smartphones on the market, announced yesterday that independent researchers discovered a vulnerability in the device earlier this year. Successful exploitation would have allowed an attacker to send and receive text messages, see phone call statuses — including the number dialed — and register a call forwarding number without a victim even realizing, according to a blog post from researchers at cybersecurity firm SentinelOne. Now patched, the vulnerability exploited an open socket once used to communicate with the Nvidia Icera modem.
This isn’t a vulnerability that just anyone could exploit or find, but the fact that it existed in a high-end market device in the first place emphasizes just how likely it is that at least some vulnerability exists in all devices. The challenge for device manufacturers is finding the bugs and patching them quickly, a challenge that's given rise to a thriving bug bounty industry. In this case, that system seems to have worked.
In this case that system worked
"If you look at a company like Silent Circle, and what they’ve done with the Blackphone [security-wise], we see that even the companies that are steadfast on security still fall victim to a potential zero-day," Scott Gainey, chief marketing officer at SentinelOne told The Verge. However, Silent Circle didn’t shy away from acknowledging the vulnerability, Gainey said. Instead, the company worked with researchers to patch and effectively get information out about the bug.
"Vulnerabilities are inevitable," Dan Ford, chief security officer at Silent Circle, wrote in a blog post. "It is how you react to those vulnerabilities that counts."
In Silent Circle’s case, it told SentinelOne’s team to file their findings through its official bug bounty program, and four months later, the vulnerability was patched. SentinelOne proceeded in publishing its findings without putting users at risk. Now, this was a best case scenario, Gainey said. Not every company responds so positively when researchers dig up a gaping security hole. "It’s not uncommon to receive cease and desist letters," Gainey said. "People are afraid stuff like this is going to get out, but [they] can’t turn [their] head to this. They need to be open to these researchers and their findings."
Vulnerabilities are inevitable
That metaphorical head turn leaves consumers vulnerable and companies holding at least some liability. Widening the scope a bit, researchers also aren’t the only ones actively hunting for bugs. State-sponsored actors do, too, and with all tech companies eventually having a vulnerability in their products, it leaves a door open to espionage efforts and corporate theft. Government intelligence officers and politicians might think at least some backdoors are necessary to fight terrorism, but the reality is, no backdoor exists just for law enforcement or just for researchers.