As reported in a recent article by InfoWorld, a high profile privacy driven smartphone provider located a security hole capable of exposing their devices to attacks. Blackphone is a specially designed smartphone developed by SGP Technologies, who operates as a subsidiary of Silent Circle. The phone uses VPN for Internet access and runs on a modified Android version titled “SilentOS”. A third-party component Silent Circle used as part of the device design was capable of exposing the secure smartphone to outside attacks.
What Was the Security Issue?
The vulnerability made it possible for an attacker to control the modem functions of the phone. Researchers brought this problem forth when they identified an open socket accessible on the phone during a reverse engineering exercise. Currently, Blackphone is one of the most secure phones on the market because it uses built-in encryption to deliver secure:
For Blackphone, the problem was directly related to a third-party component included as part of the smartphone’s design. An open socket that interacted with a number of applications was compromising application security. This vulnerability made it possible for attackers to send SMS messages or forward incoming calls via the socket without being noticed by users. An attacker could initiate calls, kill the modem, prevent incoming calls, and perform other malicious actions. Since the discovery, Silent Circle has taken measures to patch the identified flaw and the update was released in early December of 2015.
Continuous Code Analysis: Could It Have Helped?
Many companies rely on the technology of outside providers to put their product on the market, but at what cost? With no way to monitor code quality or locate defects, many companies experience critical security and operational flaws in their products or services. With the Blackphone vulnerability, attackers could essentially take over the phone, trick users into installing malicious applications, and perform other actions to compromise the device.
Could this problem have been identified sooner by evaluating code quality and analyzing the third-party component? Lack of information about the problem’s root cause makes this difficult question to answer. However, continuous evaluation with a defined set of standards and metrics has become essential to identifying potential defects before products reach consumers. Whether the product is a device or an application, certain measures must be taken to validate quality and security. Code analysis tools and defined metrics are a company’s first line of defense for identifying potential problems.
Whether the Blackphone issue was strictly hardware related or part of an underlying code problem is still up for debate. As these issues continue to surge, quality is definitely not something to put on the back burner. Every potential defect should be identified and resolved long before a product reaches the consumer market. The Blackphone issue might not have been directly code related, but it is a prime example of what can happen when measures are not taken to identify problems upfront.
Erik Oltmans, an Associate Partner from EY, Netherlands, spoke at the Software Intelligence Forum on how the consulting behemoth uses Software Intelligence in its Transaction Advisory services.
Erik describes the changing landscape of M & A. Besides the financial and commercial aspects, PE firms now equally value technical assessments, especially for targets with significant software assets. He goes on to detail how CAST Highlight makes these assessments possible with limited access to the targetâ€™s systems, customized quality metrics, and liability implications of open source components - all three that are critical for an M&A due diligence.