Blackphone Update Removes Critical Security Threat: Did Code Quality Issues Contribute to the Problem?

by

As reported in a recent article by InfoWorld, a high profile privacy driven smartphone provider located a security hole capable of exposing their devices to attacks. Blackphone is a specially designed smartphone developed by SGP Technologies, who operates as a subsidiary of Silent Circle. The phone uses VPN for Internet access and runs on a modified Android version titled “SilentOS”. A third-party component Silent Circle used as part of the device design was capable of exposing the secure smartphone to outside attacks.

What Was the Security Issue?

The vulnerability made it possible for an attacker to control the modem functions of the phone. Researchers brought this problem forth when they identified an open socket accessible on the phone during a reverse engineering exercise. Currently, Blackphone is one of the most secure phones on the market because it uses built-in encryption to deliver secure:

  • Voice Calling
  • Text Messaging
  • Video Conferencing
  • File Transfers

For Blackphone, the problem was directly related to a third-party component included as part of the smartphone’s design. An open socket that interacted with a number of applications was compromising application security. This vulnerability made it possible for attackers to send SMS messages or forward incoming calls via the socket without being noticed by users. An attacker could initiate calls, kill the modem, prevent incoming calls, and perform other malicious actions. Since the discovery, Silent Circle has taken measures to patch the identified flaw and the update was released in early December of 2015.

Continuous Code Analysis: Could It Have Helped?

Many companies rely on the technology of outside providers to put their product on the market, but at what cost? With no way to monitor code quality or locate defects, many companies experience critical security and operational flaws in their products or services. With the Blackphone vulnerability, attackers could essentially take over the phone, trick users into installing malicious applications, and perform other actions to compromise the device.

Could this problem have been identified sooner by evaluating code quality and analyzing the third-party component? Lack of information about the problem’s root cause makes this difficult question to answer. However, continuous evaluation with a defined set of standards and metrics has become essential to identifying potential defects before products reach consumers. Whether the product is a device or an application, certain measures must be taken to validate quality and security. Code analysis tools and defined metrics are a company’s first line of defense for identifying potential problems.

Whether the Blackphone issue was strictly hardware related or part of an underlying code problem is still up for debate. As these issues continue to surge, quality is definitely not something to put on the back burner. Every potential defect should be identified and resolved long before a product reaches the consumer market. The Blackphone issue might not have been directly code related, but it is a prime example of what can happen when measures are not taken to identify problems upfront.

References:

http://www.infoworld.com/article/3019379/security/blackphone-update-closes-security-hole.html

https://en.wikipedia.org/wiki/Blackphone

Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
This study by CAST reveals potential reasons for poor software quality that  puts businesses at risk, including clashes with management and little  understanding of system architecture. What Motivates Today’s Top Performing  Developers Survey
Pete Pizzutillo
Pete Pizzutillo VP Corporate Marketing at CAST
Pete Pizzutillo is Vice President of Corporate Marketing at CAST. He is responsible for leading the integrated marketing strategies (digital and social media, public relations, partners, and events) to build client engagement and generate demand. He passionately believes that the industry has the knowledge, tools and capability such that no one should lose customers, revenue or damage their brand (or career) due to poor software. Pete also oversees CAST’s product marketing team whose mission is to help organizations understand how Software Intelligence supports this belief. Prior to CAST, Pete oversaw product development and product management for an estimating and planning software company in the Aerospace and Defense market. He has worked in several industries in various marketing roles and started his career as an advertising agency art director. He is a graduated of The Pennsylvania State University with degrees in Business Administration and Art. Pete lives in New Jersey with his wife and their four children. You can connect with Pete on LinkedIn or Twitter: @pizzutillo.
Load more reviews
Thank you for the review! Your review must be approved first
Rating
New code

You've already submitted a review for this item

|