The creators of the new encrypted Blackphone want you to hack it.
More specifically, the Geneva-based manufacturer of the Blackphone, which is actually a collaboration between encryption wizard Phil Zimmermann’s Silent Circle and Geeksphone, is offering cash rewards to anybody who can find holes in the device. In other words, it’s a Blackphone bug bounty opportunity.
“We want them to look at the phone, apps, services, anything leading to anybody getting unauthorized access to information, to make this thing happen,” Blackphone’s chief security officer Daniel Ford told VentureBeat.
The Blackphone began officially shipping in June, and chief executive Toby Weir-Jones told VentureBeat earlier this month that the device was literally flying off the shelves. As for Ford, he couldn’t confirm reports that 5,000 units had sold at $629 a pop. However, Ford did say business was booming.
The genesis for the Blackphone bug bounty program can be traced back to the Defcon hacker convention in Las Vegas in early August. Hackers claimed in blogs that Blackphone had been successfully hacked, or deconstructed, prior to its unveiling. Ford said that information wasn’t “entirely accurate.”
“Prior to Defcon, my internal security people had discovered a vulnerability on July 30. But all the phones shipped to Defcon didn’t include the update. It was a problem concerning the phone’s root privilege access. And we fixed it,” Ford said.
According to Blackphone, the bug bounty program means that those finding holes in the devices’ client apps, network services, cloud infrastructure, web sites and services, for example, will earn themselves $128 clams per security bug discovered. Guidelines for the program can be found here.
The backbone of the Blackphone is its Android-centric operating system, called PrivatOS. The Blackphone comes with built-in industrial grade encryption that protects IMs, voice, video, and chat. It took six months for Jones’ engineers to design and build.
Blackphone comes with a gravity sensor, light sensor, proximity sensor, magnetic sensor, and GPS. Additional features include secure file and transfer storage and secure and private browsing. Blackphone’s Security Center also lets users customize data flows.
Blackphone is partly the brainchild of Zimmermann, perhaps best known as the inventor of the encryption tool PGP, which garnered raves with Usenet users when it was released in 1991. Blackphone is sexy and slim, with a 4.7-inch display, quad-core 2 GHz system-on-a-chip processor, and 1 GB of LPDDR RAM.
Ford said hackers, white hatters preferably, who find bugs can report them anonymously and still receive the bounty.
The rules for those enjoining the bounty, according to Blackphone:
- You must be the first reporter of a vulnerability
- The vulnerability must be a qualifying vulnerability
- We can’t be legally prohibited from rewarding you
- You may not publicly disclose the vulnerability prior to our resolution
- Not be employed by Blackphone or its subsidiaries or related entities
Ford emphasized that Blackphone has worked closely with leading security researchers both in designing the device and helping plug potential holes in the OS, for example.
Blackphone chief Jones, who cut his teeth in the security world while employed by British Telecom, said the those ordering the phone thus far include users who value secure lines of communication and even individual employees of the federal government. No government contracts have yet been inked.
“The goal for us is we need as many eyes on our product as we possibly can get,” Ford said.