Exact matches only
Search in title
Search in content
Search in posts
Search in pages

Transparent Response About First Update To PrivatOS

I was hoping for a much more interesting initial post here at Blackphone, but circumstances dictate a little more formality. We recently released our first update to PrivatOS with version 1.0.1. In publishing our release we made a few faux pas:

  • The hosting site was not SSL enabled,
  • Failure to provide a proper checksum for the download,
  • Failure to provide release notes on our support page; and
  • We have not publicly released our kernel.

If we met at #HopeX and had any brief discussion RE: security/privacy posture at Blackphone, then we indubitably discussed that I will be very transparent about security and privacy of Blackphone and PrivatOS; and that my team would respond directly. Well, I am on week number three and still in the process of…well everything. But, I am responding as promised.

Issue #1: Hosting site was not SSL enabled

While we should have all of our communications SSL enabled, this in and of itself should not be construed as a vulnerability per se. For more details on the process go to the following URL: support.blackphone.ch/customer/portal/articles/1640950-how-does-blackphone-perform-ota-upgrades-is-it-secure-?b_id=4314

This issue has been submitted as a bug, and it will be corrected very soon.

Issue #2: Failure to provide a proper checksum for the download

Valid. An MD5 checksum was provided ( 2b158b5f8327933b2415768cb5d6b796); however as a security company we really should be using a more updated algorithm. In the future we will be using SHA256.Blackphone v1.0.1

Issue #3: Failure to provide release notes on our support page

Valid. Corrected.

Blackphone OTA Process: support.blackphone.ch/customer/portal/articles/1640950-how-does-blackphone-perform-ota-upgrades-is-it-secure-?b_id=4314

Blackphone v1.0.1 Changelog: support.blackphone.ch/customer/portal/articles/1640958-privatos-1-0-1-changelog-

Issue #4: We have not publicly released our kernel

This is a valid complaint. We have obligations under GPL as well as commitments to the 3rd-party providers whose software we use within PrivatOS. We are working to extract the first batch of unrestricted code (primarily concerning the PrivatOS kernel) and put it up on github within the next 7-10 days.

On behalf of Blackphone and myself, I’d like to personally thank @kappuchino for pointing out some of our deficiencies. Hopefully my next post will be more interesting…

Dan Ford, D.Sc (@netsecrex)

CSO, SGP Technologies

ABOUT SILENT CIRCLE

We were founded by some of the best minds in mobile technology, encryption, security, and privacy.

Silent Circle keeps conversations between employees, customers, and partners private.