PrivatOS 1.1.2 Update

Starting today, Blackphone users will receive PrivatOS 1.1.2 via an Over the Air update. This is the second update since we announced our major upgrade, PrivatOS 1.1, at this year’s Mobile World Congress.

There is no question that a large proportion of employees’ work environment is shifting to mobile devices and applications. More powerful devices and an increasingly remote-based and traveling workforce means more reliability on mobile—and new targets for cybercrime and corporate espionage. New forms of mobile-targeted attacks and vulnerabilities are made public almost every day by the research community and specialized sites. Such a dynamic scenario presents a huge challenge for corporate CISOs and end users, who are struggling to protect data residing in their mobile devices before attackers exploit these public vulnerabilities. This is why at Silent Circle we are committed to providing users with constant updates to our devices and software, with no dependency on Carriers or third parties, so that these updates are provided in record time. This is one of the things that makes us different from other vendors who can take months to provide a given update that patches public vulnerabilities, or simply won’t ever provide it.

This was in fact the story behind PrivatOS 1.1.1. On March 12, a few hours after we published our major upgrade PrivatOS 1.1, Google confirmed that devices based on Android 5.0 or lower were exposed to two new major security vulnerabilities. The vulnerabilities, technically named as CVE-2015-1530 and CVE-2015-1474, allowed an attacker to have access to protected data or cause malfunctions on the device just by pushing some software in the device through a web page or a fake application.

This was clearly unfortunate timing for us, given that we had just released a major PrivatOS update! But our quick reaction force teams immediately started working to create and verify the patches to these vulnerabilities, and these were made available to our customer base on March 14 through PrivatOS 1.1.1, less than 48 hours after the two vulnerabilities were made public.

Yet another new update is coming out today—PrivatOS 1.1.2. In this case, we have patched eight new public vulnerabilities affecting Android.* These vulnerabilities are not as major as the two described above, but we want our users to have the biggest degree of protection. Additionally, we have provided two new security improvements.

The first is simple and effective: randomize the position of the numbers on the lockscreen PIN pad. Sometimes stealing the PIN lock of a device does not need advanced programming techniques; it could be as easy as looking over someone’s shoulder while they unlock their phone, or carefully checking fingerprints on the screen left after tons of screen-locks. PrivatOS 1.1.2 users can configure their settings so that their pin numbers appear in different positions with every lock, making it even more difficult for someone to steal their PIN lock.

In addition to the lockscreen PIN pad update, we also upgraded our Certificate Authority list.

Together with these security improvements, we have included usability features requested by our users through our customer support center, such as a Chinese keyboard, and the default accessibility shortcut helping blind people to start using the device out of the box. Finally, yet importantly, we have taken this opportunity to include minor bug fixes and address other issues reported by our users.

Overall, every new update helps Silent Circle’s Blackphone users be safer and more confident in their communications. Protect yourself by always having your software up to date. We recommend you configure your phone to search for updates regularly, either daily or on every boot. (You can adjust this setting via Settings > About Phone > Updates.)

And be confident knowing that we will be vigilant about your privacy.

Kind regards,

DAVID

* Public vulnerabilities fixed in PrivatOS 1.1.2: CVE-2015-1525, CVE-2015-0289, CVE-2015-0292, CVE-2015-0287, CVE-2015-0286, CVE-2015-0209, CVE-2015-0288 and CVE-2015-0293.