|
Blackberry Priv security fail wtf?! |
Bruce Perry
Member #270
April 2000
|
While reading a seemingly legit page entitled "LG G5 review: 2016's cleverest smartphone is having some problems ..." and hosted on alphr.com, using the default Chrome on a Blackberry Priv (supposedly one of the most secure Android phones available), I found my browser hijacked by some dodgy popups along the lines of (variously):
Just smoke and mirrors implemented using JavaScript, surely to goodness - definitely not Blackberry's fault, nor Chrome's. And then I got a missed call from a number in America, which I Googled and it's one of those Indian "you have virus please sir" numbers. So Chrome revealed my phone number to a dodgy website - on a Blackberry Priv?! In fairness, there has been an (actual) OS update sitting waiting for ages which I'm only now (in reaction) installing, but still, I'm shocked. I've also gone into the permissions settings and turned off all of Chrome's. -- |
Erin Maus
Member #7,537
July 2006
|
Does the GSM module in the Priv share the same bus or have access to the the RAM and other hardware of the phone? A phone is only as secure as its GSM module if it doesn't, and GSM modules are riddled with security flaws. --- |
Bruce Perry
Member #270
April 2000
|
False alarm - the number left me a message which I finally listened to, and it was Amazon trying to verify an order I placed today, for which I entered a new address, then changed it to a pickup location, then changed it back - and all from my phone which I possibly haven't used for Amazon purchases before. They gave me the last two digits of my card as well. Not that I could manage to get any intelligent life out of Amazon when I tried to follow it up. The only mystery then is why the Internet thought that number was dodgy, but everything else adds up. Aaron Bolyard said: Does the GSM module in the Priv share the same bus or have access to the the RAM and other hardware of the phone? I have no idea - how do you think one would find out? -- |
Erin Maus
Member #7,537
July 2006
|
Bruce Perry said: I have no idea - how do you think one would find out? No clue. BlackBerry doesn't provide any information that I could find. At most I found some mention about a 'layered defense', but no specifics. It's a shame. I'd like a genuinely secure cell phone. --- |
bamccaig
Member #7,536
July 2006
|
A secure cell phone doesn't exist precisely because it's not in anybody's interest except the user (who doesn't get a say). The vendor and service provider want an insecure device so that they can modify it remotely and probably harvest data. The government wants insecure devices so that they can spy on the citizens. We won't be able to attain secure phones until enough people are concerned about it (unfortunately, most people couldn't give a fuck) and insist on open hardware and software (both must be open for an audit-able device). -- acc.js | al4anim - Allegro 4 Animation library | Allegro 5 VS/NuGet Guide | Allegro.cc Mockup | Allegro.cc <code> Tag | Allegro 4 Timer Example (w/ Semaphores) | Allegro 5 "Winpkg" (MSVC readme) | Bambot | Blog | C++ STL Container Flowchart | Castopulence Software | Check Return Values | Derail? | Is This A Discussion? Flow Chart | Filesystem Hierarchy Standard | Clean Code Talks - Global State and Singletons | How To Use Header Files | GNU/Linux (Debian, Fedora, Gentoo) | rot (rot13, rot47, rotN) | Streaming |
Bruce Perry
Member #270
April 2000
|
So the final piece of the puzzle is explained by the second Google result for that number: caller ID can be spoofed! So, the call I received was most likely genuine, but other people have received scam calls that appeared to come from that number too. Good to know. Sorry bambams, instead of a cookie, you get this video -- |
Erin Maus
Member #7,537
July 2006
|
I like the animation in that video. --- |
|