Blackphone Update Removes Critical Security Threat: Did Code Quality Issues Contribute to the Problem?

by

As reported in a recent article by InfoWorld, a high profile privacy driven smartphone provider located a security hole capable of exposing their devices to attacks. Blackphone is a specially designed smartphone developed by SGP Technologies, who operates as a subsidiary of Silent Circle. The phone uses VPN for Internet access and runs on a modified Android version titled “SilentOS”. A third-party component Silent Circle used as part of the device design was capable of exposing the secure smartphone to outside attacks.

What Was the Security Issue?

The vulnerability made it possible for an attacker to control the modem functions of the phone. Researchers brought this problem forth when they identified an open socket accessible on the phone during a reverse engineering exercise. Currently, Blackphone is one of the most secure phones on the market because it uses built-in encryption to deliver secure:

  • Voice Calling
  • Text Messaging
  • Video Conferencing
  • File Transfers

For Blackphone, the problem was directly related to a third-party component included as part of the smartphone’s design. An open socket that interacted with a number of applications was compromising application security. This vulnerability made it possible for attackers to send SMS messages or forward incoming calls via the socket without being noticed by users. An attacker could initiate calls, kill the modem, prevent incoming calls, and perform other malicious actions. Since the discovery, Silent Circle has taken measures to patch the identified flaw and the update was released in early December of 2015.

Continuous Code Analysis: Could It Have Helped?

Many companies rely on the technology of outside providers to put their product on the market, but at what cost? With no way to monitor code quality or locate defects, many companies experience critical security and operational flaws in their products or services. With the Blackphone vulnerability, attackers could essentially take over the phone, trick users into installing malicious applications, and perform other actions to compromise the device.

Could this problem have been identified sooner by evaluating code quality and analyzing the third-party component? Lack of information about the problem’s root cause makes this difficult question to answer. However, continuous evaluation with a defined set of standards and metrics has become essential to identifying potential defects before products reach consumers. Whether the product is a device or an application, certain measures must be taken to validate quality and security. Code analysis tools and defined metrics are a company’s first line of defense for identifying potential problems.

Whether the Blackphone issue was strictly hardware related or part of an underlying code problem is still up for debate. As these issues continue to surge, quality is definitely not something to put on the back burner. Every potential defect should be identified and resolved long before a product reaches the consumer market. The Blackphone issue might not have been directly code related, but it is a prime example of what can happen when measures are not taken to identify problems upfront.

References:

http://www.infoworld.com/article/3019379/security/blackphone-update-closes-security-hole.html

https://en.wikipedia.org/wiki/Blackphone

  This report describes the effects of different industrial factors on  structural quality. Structural quality differed across technologies with COBOL  applications generally having the lowest densities of critical weaknesses,  while JAVA-EE had the highest densities. While structural quality differed  slightly across industry segments, there was almost no effect from whether the  application was in- or outsourced, or whether it was produced on- or off-shore.  Large variations in the densities in critical weaknesses across applications  suggested the major factors in structural quality are more related to  conditions specific to each application. CRASH Report 2020: CAST Research on  the Structural Condition of Critical Applications Report
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
Making sense of cloud transitions for financial and telecoms firms Cloud  migration 2.0: shifting priorities for application modernization in 2019  Research Report
Pete Pizzutillo
Pete Pizzutillo Vice President
Pete Pizzutillo is Vice President at CAST and has spent the last 15 years working in the software industry. He passionately believes Software Intelligence is the cornerstone to successful digital transformation, and he actively helps customers realize the benefits of CAST's software analytics to ensure their IT systems are secure, resilient and efficient to support the next wave of modern business.
Load more reviews
Thank you for the review! Your review must be approved first
You've already submitted a review for this item
|
()