What a great way to start off the new year with a win for the Silent Circle Bug Bounty program. Tim Strazzere (@timstrazz) and crew found a very interesting vulnerability within the Nvidia Modem. Since I don’t want to steal Tim’s thunder and go into the details, I’ll just point you to his blog post. The entire Silent Circle team would like to thank Tim and his team for contributing to our bug bounty program. Please keep up the good work.
Here is the quick takeaway:
- Only affects first-generation Blackphone (BP1) with Nvidia chip
- Does NOT affect Blackphone 2 (BP2)
- BP1 devices prior to and including 1.1.13 RC2 and below are affected
- Ensure BP1 is on version 1.1.13 RC3 (patch issued 12-7-2015) - Users who have applied the update are not affected
- Users can verify current version under Settings->About Phone->Updates->Check for Updates
As Tim pointed out in his blog, “The Blackphone is generally considered the most secure smartphone available today.” One of the main reasons many, like Tim, say we produce the most secure Android smartphones on the market is our commitment to patching. Vulnerabilities are inevitable. It is how you react to those vulnerabilities that counts. How does Silent Circle react? We patch vulnerabilities and give credit where credit is due. For you see, in most cases product security depreciates faster than taking a new car off the car lot. In order to keep the value from depreciating too quickly you must provide careful and consistent maintenance. We take pride in maintaining the security of all our products and will continue to do so.
Here are some questions you may have regarding this vulnerability:
Q1. Does a vulnerability like this mean that others could be possible on Blackphone?
A1. Based on the research provided by Sentinel One it is safe to assume that any device using the Nvidia Icera modem would be vulnerable. Based on our knowledge we do not know of any other device that would be using this modem. We suggest contacting Nvidia for further details.
Q2. How often does Silent Circle receive claims like this and award bounty payments for discovered vulnerabilities?
A2. In the first year of our Bug Bounty program we accepted 71 vulnerabilities across all products, services, and platforms. We only advertise the minimum reward of $128/vulnerability. During the first year we paid out significantly higher than the minimum reward. On certain occasions we have been known to give out hand picked gifts to our researchers.
Q3. How can Blackphone users know if they were affected by this vulnerability before it was patched?
A3. Please ensure that your BP1 is updated to version 1.1.13 RC3 or later. Further, we are not aware of any known exploits in the wild for this vulnerability.
Q4. How much of a risk did the vulnerability pose given the security of the Blackphone and limited ways to load apps?
A4. One of the biggest threats with any smartphone is installing apps from untrusted parties. If a malicious App were installed on the phone it could take advantage of this vulnerability. For this reason, Silent Circle provides a countermeasure with Security Center. Security Center lists all Apps on the device and is prompted at each new App install.
Again thank you to Tim and his team for this discovery. Further, we would like to invite the entire security research community to participate in our bug bounty program. You can read more about the program on our partner site.