Last year, privacy-focused Blackphone got a dubious distinction: It became known as the locked-down phone that supposedly got hacked in just 5 minutes.
Things have changed. Now, it’s a whole mobile product line geared for companies (and perhaps paranoid individuals), a brand-new acquisition for encryption services firm Silent Circle, and a multi-million dollar enterprise with nearly $750 million in device sales.
The group introduced its latest devices this week at Mobile World Congress—the Blackphone 2 smartphone and its first tablet, currently dubbed Blackphone+. But what was really on display was the company’s uncanny knack for turning a well-publicized security flub into a win.
Meet Blackphone 2 And Blackphone+
As far as upgrades go, the 5.5-inch Blackphone 2 looks like a decent successor to last year’s original 4.7-inch Blackphone.
Like most second-generation phones, version 2 offers several hardware improvements, including a faster 64-bit 8-core processor, more memory (3GB), a bigger battery and a larger display. The phone also ties into Citrix’s Mobile Device Management, so IT departments can manage employees’ company-supplied or BYO (“bring your own”) phones. Blackphone 2 is priced at $630 (unlocked) and slated for a July release. Soon after, it will be joined by the company’s first tablet, the 7-inch Blackphone+, sometime this fall.
Both run Blackphone’s PrivatOS software, a variation on Android designed as an extra layer of protection between users and the big, bad outside world. When apps unnecessarily ask for personal data, like contacts or location, Blackphone can intercept the request, blocking or obscuring it. The software can even fool the app into thinking the user granted access, even if he or she didn’t.
“You can take an Android device, you can root it, introduce [similar] features, and after months, you can have something like Blackphone,” said Javier Agüera, Blackphone’s founder and now a chief scientist at Silent Circle. “Or you can have an out-of-the-box device, with everything set up by security specialists, that’s enterprise ready and configured the way you need it.”
PrivatOS boasts new virtualization feature called “Spaces,” which offers separate “work” and “personal” modes, the ability to add profiles and an app store vetted by Blackphone. The technology’s encryption protocols also save keys on the device itself, not some unknown remote server. The phone’s price includes two years of security services that guards against unsafe WiFi networks, private browsing, and secure cloud file storage.
Sounds like a lot of protection, at least, it’s more than most users are accustomed to getting. It all goes back to Blackphone’s mission: The company wants to safeguard people. It seems sincere—even though a hacker actually did manage to breach those walls last year.
Turning Hackers Into BFs
At hacking convention DefCon last year, CTO Jon “Justin” Sawyer of Applied Cybersecurity LLC told Blackphone that he managed to get past its security to root its device. What’s more, he tweeted the exploit, which landed on BlackBerry sites and other tech blogs.
Sawyer found a couple of weak spots in the software, including a hole in the remote wipe feature that let the security expert access the device and grant himself system privileges. He was able to give himself access to core parts of the phone. But what gets less attention, the execs said, is that the company had already patched the hole.
Sawyer essentially attacked an old, outdated version of the software. Even so, the incident and publicity could have humiliated Blackphone right out of the market. It didn’t. Instead, the company is milking it.
The team thanked Sawyer for the discovery and sent him a bottle of wine. Then it enlisted others to scope out any other vulnerabilities.
According to Vic Hyder, Silent Circle’s chief strategy officer, Blackphone recently launched a bug bounty program to reward people for finding security glitches—from $128 to more, depending on the severity. (Bounties are fairly common in the tech industry; even big companies like Facebook, Google and Microsoft offer rewards to bug hunters.)
“[It] makes them part of the solution, instead of part of the problem,” Hyder said. “It brings everybody in as a participant.” Even Sawyer, now a friend of Blackphone, helps out by looking for other vulnerabilities. The company publishes all of its source code, to help make it easier for people to find holes.
So far, Hyder estimates that the company has paid out about $15,000 to $20,000 in bounties.
“Nothing is hack-proof,” admits Daniel Ford, chief security officer.
However, he says his company can help guard against certain types of attacks. “Targeted attacks are completely different than mass surveillance,” he said.” There’s little Blackphone or anyone can do against the former, such as last year’s breach at Sony Pictures—which may have been a specific retaliation for The Interview, a comedy that poked fun at North Korea.
Ultimately, if a hacker wants your data badly enough—whether it’s a criminal or a NSA agent—he or she has innumerable tools that can help get it. No platform can hold up against that, he explained.
But when it comes to broader mass surveillance, Ford said Blackphone can step in and offer more protection. “This is where our commitment is: If there is a vulnerability that was disclosed publicly, we will fix it in less than 72 hours,” he said. “We have done so every time. That is our goal … the last time, it took only 6 hours.”
“Samsung had two critical vulnerabilities that was released two weeks ago,” he added, calling out one of his archrivals in the enterprise market, albeit for a vulnerability in its TV business. Still, he couldn’t resist poking at Samsung’s overall attitude toward security: “They have not even started to address it,” he said.
Photos by Adriana Lee for ReadWrite