About That Metadata Claim…
We believe that being open and responsive to critiques from the security community is a hallmark of a responsible company. That’s why we implemented our bug bounty program, where we encourage researchers to submit information about potential vulnerabilities in our products. This program gives us a way to provide missing information when suspected vulnerabilities have already been addressed or reports are inaccurate; quickly respond to reports that turn out to be true; and, most importantly, give credit to researchers whose reports are accurate.
A recent blog post claims that “silent circle” leaks metadata. We wish the author had used our bug bounty program to report his claim! Had we been contacted, he might have received a bounty, although we are happy to report that the vulnerability he cites was addressed in an update to Silent Text made in May 2014. Bottom line for our users: while this author’s claim was accurate at one time, Silent Circle users don’t need to worry. No current versions of Silent Circle applications are vulnerable to this approach for collecting metadata; the only one that was (Silent Text) was redesigned to address this exact problem and the redesign has been shipping for over six months.
We thought we’d take this opportunity, however, to demonstrate why we encourage researchers to use our bug bounty program, for those who might be interested in reporting vulnerabilities and learning how our process works.
The specifics of the claim made in the blog post in question are difficult to analyze. The blog offers, “Can metadata from silent circle be extracted to compliment timeline analysis?” as the primary research question. The blog does not explicitly state (a) which application in the Silent Circle portfolio is tested and (b) what exact platform and version is used in the research.
We can infer an answer to (a): Silent Phone & Silent Text. The second option is more problematic. More on this point shortly.
The post mentions the need to physically possess the phone in question in order to collect metadata. It does not mention how to bypass any security controls that restrict access (e.g. unlock codes, disk encryption, etc.). This leaves us wondering about the scenario in which the research takes place; we would definitely ask for details if a researcher contacted us. This would give us a better picture of the potential vulnerability and determine whether there is a credible threat to our users, as well as an opportunity to provide further information to the researcher.
Getting back to point (b) from earlier, the blog mentions the Zmissive table. We can therefore make some deductions.
- The Zmissive table does not exist in our Silent Phone application in either the Android or iOS variants; therefore this post must be referring to Silent Text
- This table did exist in our Silent Text App 1.x version for the iOS platform, but that version was retired in May 2014. Had the researcher contacted us, we could have saved him valuable time!
- The remainder of the post also relies on the Zmissive table and is therefore not relevant to current versions of Silent Text
A major rationale for changing the Silent Text architecture away from the version 1.0 code base was to increase security. Vinnie Moscaritolo wrote about this change previously. To summarize Vinnie’s work, changes present in the current architecture include a number of features that render information gathering problematic.
In sum: We are currently shipping Silent Text iOS version 2.0.4, which is not vulnerable to the methods described in this post. The only Silent Circle application potentially vulnerable to the methods described has not been current since May 2014. Further, for highly sensitive information we always recommend the usage of the ‘Burn Notice’ feature so that the information in question can be removed from both the sender’s and the receiver’s devices once the timer has expired.
We strongly encourage researchers to avail themselves of Silent Circle and Blackphone’s bug bounty program. We invite all manner of submissions and remain committed to improving the quality of our products and ensuring you get credit for your work. Most importantly – we don’t want your time wasted on researching problems that we’ve already fixed!