The feat was executed at the DEF CON hacker conference, where Jon Sawyer (@TeamAndIRC), CTO of Applied Cybersecurity, had time to audit the smartphone in question.
He took to Twitter to enumerate the vulnerabilities that allowed him to do this:
But what he didn't know is that he tested a phone with old firmware, and that the SGP Technologies' team - the creators of Blackphone - had already patched one of the vulnerabilities and pushed out the update.
The company's CSO Dan Ford, chief security officer, explained in a blog post that the first found issue consists of an attacker being able to turn the Android Debugging Bridge on (it's currently off by default).
"In the final days before manufacture, a bug was found with ADB on the Blackphones which could throw the phone into a boot loop when full device encryption was turned on. Rather than miss the manufacturing window or cause user grief, the developer menu was turned off," he shared.
"Disabling ADB is not a security measure, and was never meant to be — it will be returning in an OTA to Blackphone in the future once the boot bug is resolved; the realities of getting a product manufactured and shipped within the available manufacturing window meant a quick fix was needed. "
The second issue was the aforementioned closed vulnerability, which was found on July 30 and patched the very next day.
As regards to the third issue, Sawyer said that he will privately disclose it to SGP Technologies, and noted that "it is hard to reach and trigger, requiring priv(ilege) escalation to even attempt, and of little value."
Still, as Sawyer confirmed and Ford noted, to exploit any of these vulnerabilities, an attacker needs to have physical access to the device - they are not exploitable via a drive-by-download or in any way remotely.
It's practically impossible for any software to have any bugs and/or vulnerabilities, and Blackphone's PrivatOS is no exception. In fact, the manufacturer expected researchers to find some, and aims to reward those who responsibly disclose them.
But what they do want to achieve is to push out patches for found vulnerabilities faster than any other OEM.
"We control the complete OTA process, and are able to fix issues as soon as they are disclosed, if they haven’t been pre-emptively fixed," says Ford. "For example, Blackphone already has patches for other vulnerabilities such as the futex() kernel bug used by TowelRoot which has not yet been included in an AOSP versioned release."