I was hoping for a much more interesting initial post here at Blackphone, but circumstances dictate a little more formality. We recently released our first update to PrivatOS with version 1.0.1. In publishing our release we made a few faux pas:
- The hosting site was not SSL enabled,
- Failure to provide a proper checksum for the download,
- Failure to provide release notes on our support page; and
- We have not publicly released our kernel.
If we met at #HopeX and had any brief discussion RE: security/privacy posture at Blackphone, then we indubitably discussed that I will be very transparent about security and privacy of Blackphone and PrivatOS; and that my team would respond directly. Well, I am on week number three and still in the process of…well everything. But, I am responding as promised.
Issue #1: Hosting site was not SSL enabled
While we should have all of our communications SSL enabled, this in and of itself should not be construed as a vulnerability per se. For more details on the process go to the following URL: support.blackphone.ch/customer/portal/articles/1640950-how-does-blackphone-perform-ota-upgrades-is-it-secure-?b_id=4314
This issue has been submitted as a bug, and it will be corrected very soon.
Issue #2: Failure to provide a proper checksum for the download
Valid. An MD5 checksum was provided ( 2b158b5f8327933b2415768cb5d6b796); however as a security company we really should be using a more updated algorithm. In the future we will be using SHA256.Blackphone v1.0.1
Issue #3: Failure to provide release notes on our support page
Issue #4: We have not publicly released our kernel
This is a valid complaint. We have obligations under GPL as well as commitments to the 3rd-party providers whose software we use within PrivatOS. We are working to extract the first batch of unrestricted code (primarily concerning the PrivatOS kernel) and put it up on github within the next 7-10 days.
On behalf of Blackphone and myself, I’d like to personally thank @kappuchino for pointing out some of our deficiencies. Hopefully my next post will be more interesting…
Dan Ford, D.Sc (@netsecrex)
CSO, SGP Technologies