A critical vulnerability discovered in the ultra secure BlackPhone has given attackers the ability to decrypt and read messages, read contacts, monitor geographic locations of the phone, write code or text to the phone's external storage, and enumerate the accounts stored on the device.
The vulnerability existed in SilentText which is the secure text messaging application bundled with the BlackPhone, the app can also be found in the Google play store as a free download. A component known as libscimp contained a type of memory corruption flaw known as a type confusion vulnerability.
Mark Dowd, a principal consultant with Australia-based Azimuth Security said "the vulnerability allows an attacker to directly overwrite a pointer in memory (either partially or in full), which when successfully exploited can be used to gain remote, unauthenticated access to the vulnerable device".
SGP Technologies (a joint venture between the makers of GeeksPhone and Silent Circle) has since issued a patch for a newly-discovered vulnerability