Transparent Response About First Update To PrivatOS

Learn about the first update to PrivatOS for Blackphone. We address vulnerabilities as soon as they are detected in order to ensure your security and privacy.

I was hoping for a much more interesting initial post here at Blackphone, but circumstances dictate a little more formality. We recently released our first update to PrivatOS with version 1.0.1. In publishing our release we made a few faux pas:

  • The hosting site was not SSL enabled,
  • Failure to provide a proper checksum for the download,
  • Failure to provide release notes on our support page; and
  • We have not publicly released our kernel.

If we met at #HopeX and had any brief discussion RE: security/privacy posture at Blackphone, then we indubitably discussed that I will be very transparent about security and privacy of Blackphone and PrivatOS; and that my team would respond directly. Well, I am on week number three and still in the process of…well everything. But, I am responding as promised.

Issue #1: Hosting site was not SSL enabled

While we should have all of our communications SSL enabled, this in and of itself should not be construed as a vulnerability per se. For more details on the process go to the following URL: support.blackphone.ch/customer/portal/articles/1640950-how-does-blackphone-perform-ota-upgrades-is-it-secure-?b_id=4314

This issue has been submitted as a bug, and it will be corrected very soon.

Issue #2: Failure to provide a proper checksum for the download

Valid. An MD5 checksum was provided ( 2b158b5f8327933b2415768cb5d6b796); however as a security company we really should be using a more updated algorithm. In the future we will be using SHA256.Blackphone v1.0.1

Issue #3: Failure to provide release notes on our support page

Valid. Corrected.

Blackphone OTA Process: support.blackphone.ch/customer/portal/articles/1640950-how-does-blackphone-perform-ota-upgrades-is-it-secure-?b_id=4314

Issue #4: We have not publicly released our kernel

This is a valid complaint. We have obligations under GPL as well as commitments to the 3rd-party providers whose software we use within PrivatOS. We are working to extract the first batch of unrestricted code (primarily concerning the PrivatOS kernel) and put it up on github within the next 7-10 days.

On behalf of Blackphone and myself, I’d like to personally thank @kappuchino for pointing out some of our deficiencies. Hopefully my next post will be more interesting…

Dan Ford, D.Sc (@netsecrex)

CSO, SGP Technologies

Categories:

Related posts

Now Available In Spanish And German - Ja! Sí!

This is a quick update to let everyone using Silent Phone for Android, iOS, Accounts Web and Silent Manager know that...

Silent Phone 6.0 is Here!

We are pleased to announce that the much-anticipated Silent Phone version 6.0 is now available for iOS and Android....

Introducing Credit Top-up for Silent Phone

We are excited to announce Silent Phone users will now be able to automatically top-up their service when they pay with...