JΞSTΞR’s Loadout: The Blackphone. The Review & an Insane Giveaway Gamble

“Security… it’s simply the recognition that changes will take place and the knowledge that you’re willing to deal with whatever happens.” ~ Harry Browne
.
OWN MY SIGNED BLACKPHONE! DETAILS AT BOTTOM OF THIS OFFERING.
.
Sometimes being ‘jester’ has it’s perks. For example, I nearly fell off my already wobbly perch when the CSO for Silent Circle, Mr Dan Ford aka @NetSecrex on Twitter made contact and offered me not one but TWO Blackphones for me to have a play around with (and keep them). After a few nanoseconds of deliberation and assurances from Mr Ford this was not a lame attempt to track me down, I agreed and setup a mailing route with multiple hops, each recipient unknown to the previous in order to receive the items. (effectively the reverse of when I sent my laptop to the International Spy Museum).
.
Record Straightening….
Before I get started, there’s somewhat of a myth that I feel needs to cleared up regarding this device getting ‘rooted’ within 5 minutes at Defcon earlier this year by . It’s a huge misconception that this incident ‘proved’ the Blackphone to be insecure, and I’m going to explain why…. as simply and quickly as I can, so we can ALL understand.
In order for said  ‘rooting’ to be achieved certain extraordinary conditions have to be met. These include the following:
  • You have to have physical access to the device, in your hands, you simply cannot perform the operation remotely.
  • You would have to find the only Blackphone user who did not encrypt the device at setup and ignores the reminders.
  • You would have to find the only Blackphone user who does not accept the (very regular) OTA firmware updates.
  • You would have to beat the shit out of said Blackphone user until he disclosed his keystore PIN.
  • You need the software tools, cables and expertise in order to carry out the exploit.

 

If any one of these conditions is not met you’re not getting in, and by the very nature of the Blackphone and the type of demographic that would be using such a device, an attacker would be hard pressed to stumble across an unencrypted, non-updated, PIN-free phone anywhere on planet earth. If such beast exists, then the owner deserves whatever comes his/her way. In fact, I’m so confident in this device, somebody out there is going to receive mine, powered off, but not factory reset. See the competition at the end of this post.

 

The Review

 

I’m going to skip yapping about the premium packaging and yadda yadda, but I will say it’s light as a feather and has a nice soft-touch rear.  To be fair it arrives pretty much as any other smartphone does, usual wall socket and USB cable included. It’s really not until you power this puppy up and start using it… because that’s when you start to feel all ‘AIDEN PIERCE’ about it. Upon initial power up you are prompted to setup device encryption and your PIN, which actually works surprisingly. I’ve had many a traditional Android device (rooted) and full device encryption has always been sketchy. Once that’s complete, you are invited to scan a QR Code that is sitting inside the box, this is your free included subscription the the Silent Circle suite of applications, which I’ll talk about later. Right now I’d like to explain what sets this device apart, for me at least….

 

It’s running a completely re-jigged kernel…

 

…not only that it’s a custom version of the Android platform dubbed PrivatOS. What’s really cool about this is the way it’s been built with security in mind, from the ground up. Security is inherent, and built-in at the highest and lowest possible levels, not least the built-in Linux Unified Key Setup (LUKS) encrypted filesystem. I’m not saying you can’t recreate many of the features of a Blackphone on a regular phone using 3rd party apps from the Google Play Store, but immediately, in doing that you are opening yourself up to malicious actors and threats in the very act of trusting multiple sources and unknown sources, which leads me to my next point…

 

No More Google Play Services, and that’s fine with me…

 

Now, don’t misunderstand me, I love Google, they are the true innovators of the internet. But, this comes at a price, all of Googles’ products and services are inter-twined and SSO, most of Google’s services are ‘free’ at first glance, but make no mistake everything we do on every single Google service is tracked and analyzed by the company for marketing and ‘other’ purposes. I’m not tin-foiling here, its a fact. It’s the price we pay for their innovations everytime we accept a EULA, and a regular android phone is no exception. Having no Google Play Services present on the device has had no effect on what I have or have not been able to do with the phone, you can still install almost any regular Android app you like (as long as you trust it) via places like The Official Amazon App Store, or if you are brave also APKLeecher and APTOIDE or a multitude of other methods – just make sure you trust the developer and source. In this way I have not found a single thing I have not been able to do or accomplish as I could with a regular Android powered phone. All apps are also effectively sandboxed or segregated from the rest of the device and you assign individual permissions to them specifying exactly what any given app can do (if anything) with other services on the phone. This all happens at the OS level, unlike similar 3rd party solutions which are basically a bolt-on layer of security.

.
Bundled Applications

 

The device comes with a subscription to ‘DSecure’. To take advantage of the service DOES NOT require you to provide any identifying details about yourself. I kinda like that. DSecure is basically an encrypted VPN tunnel between your device and the internet. You can enable it to automatically kick in on any WIFI connection and with a little work make it do the same for cellular networks too.

 

There’s also encrypted voice and encrypted SMS messaging and encrypted contacts, all three of these are protected via a central ‘keystore’, that you have to login to each time your phone powers up. This is separate from the full device encryption you login to even before the bootloader finishes cycling. You’ve also got remote wipe in case you lose it, but as I said further up in this post, it’s not like anyone is going to be able to get into it if they find it lying around.

 

Firmware Updates

 

Since using the Blackphone I have had multiple OTA updates, each time new ‘official apps’ are added, the latest one especially impressed me as it replaced the native email app and provided integrated and seamless PGP support for the signing, encrypting and decrypting of messages with your public/private PGP keyring. That stuff makes a difference when you are me.

 

 Would I recommend it?

 

While it’s not the most powerful smartphone on the market specifications-wise, with 2Ghz processor, 2Gb RAM, 16GB internal storage, if you require ultimate peace of mind when it comes to your device falling into the wrong hands I’d say it’s absolutely worth diving in. Hell I just included it in my LOADOUT’ series. It comes fully unlocked so you can use it anywhere in the world, all you need is a SIM card and you are connected. More details on the Blackphone website.  Big thanks to the folks at Silent Circle, Blackphone and @NetSecrex for providing the phones and asking me what I think. Now you know. I’m also impressed with how they rolled with the initial punches thrown at them and that’s why I used the Harry Browne quote at the top of this post.

 

 NOW… I KNOW WHAT YOU’RE THINKING…

 

If you’re *anything* at all like me, you want to know how this thing fares in conditions one might refer to as ‘frosty’. For example, high altitude, low atmosphere conditions. Well, did you know you can pick up a 1200 gram weather balloon that will expand to about 28ft in diameter before it explodes right at the edge of space for approx 50 bucks on eBay? Did you also know you can fashion a little parachute from umbrella fabric, and you can use the device’s onboard GPS, camera and other sensors to track all kinds of things including video footage during the ascent to 90+ thousand feet and the descent including wherever it touches down?

 

I shit you not, I’ve got my weather balloon on order, so stay tuned for all that hilariousness. I’ve got ‘high’ hopes for success. I’ll update here. If the device makes it back to terra-firma in working order I’ll also do a more in-depth technical teardown ‘Blackphone Loadout’ post Part II.

 

Meanwhile, as I said earlier Silent Circle sent me 2x Blackphones, so that leaves a the other Blackphone in my possession, the one I’ve been using….

 

… HERE’S YOUR CHANCE TO GET YOUR HANDS ON MY SIGNED BLACKPHONE.

 


In order to have me send you my Blackphone (it will arrive with you via multiple hops, and fingerprint-free, so don’t get any funny ideas), you must be a follower on Twitter.  Some of you knew I was going to do this but expected me to create some wild techno babble filled contest. I want everyone to have a shot who wants a shot, so all you need to do is tell me why you deserve it via Twitter. Make sure to use the HASHTAG – #JESTERSBLACKPHONE -note – if it gets a favorite from me, it’s on the shortlist. I’ll be asking Silent Circles’ CSO Dan Ford to help me pick a winner winner chicken dinner on 1st December and I’ll announce it on Twitter and on this blog post. You can enter as many times as you like. Good luck.

 

Oh yeah, and one last thing.

 

I’m SO CONFIDENT it would take longer than all my followers combined lifespans to decrypt the contents, it WON’T be factory reset, I’ll leave it exactly as it is with booty and swag like public and private PGP keys, email accounts, selfies, docs on the internal storage It will be powered off. When you decide you want to use it as your own phone simply power it off, hold down the power button and volume down, then use factory reset in the menu options.

 

Peace.

 

J
PS AUDI, if you are listening I’m available to review a matte black finish Audi R8 at your convenience. There will be no giveaway, I promise.
.

.
UPDATE 11/14/14

Since putting the word out (see above) about the competition there’s been quite a few tweets fired at me expressing this sentiment:

 

Original tweet Link

 

 

Well it just so happens that after a quick chat with the awesome Dan Ford aka @NetSecrex (CSO at Silent Circle) he has asked me to make a proposal to whoever wins my BlackPhone. Bear in mind it’s totally up to whoever wins and between yourself and Dan, it’s just an idea, you don’t have to. But you’ll end up with TWO Blackphones. Shit just got serious!

 

So here’s the skinny: The winner still wins my BlackPhone as described above, but Silent Circle have offered a brand new unused Blackphone, also signed by me, to the winner on condition they will loan the original BlackPhone as per above to the International Spy Museum, to be displayed next to my laptop, for not less than 1 year. So then you have TWO. And one of them was exhibited in a Washington DC Museum.

 

Once the agreed period has elapsed, Silent Circle will:

 

FLY THE WINNER AND A GUEST TO WASHINGTON DC TO COLLECT IT IN PERSON!

And as you can see, I’m confident in the device, so I’ll personally call you BlackPhone-to-Blackphone to congratulate and thank you on the day. BUT Wait there’s even more. Your guest gets a new Blackphone too! (Not signed by me).
Again, this will be totally up to the winner, and while it would be really epic, I really don’t mind either way. It’s your call.
Thanks to Silent Circle for their generosity with this epic winners proposal.

 

12/1/2014 UPDATE: WINNER ANNOUNCEMENT

There’s been some TRULY EPIC ‘entries’ into the contest and I’ve been favoriting the ones I really like. This list of favorites has formed a (surprisingly long) ‘shortlist’. The guys at Silent Circle then got to pick the winner from that pool. I’d like to thank EVERYONE who entered but there can only be one winner, and as per Silent Circles’ decision, that winner is @KSACTUALLY who made several entries in meme format including this, this and this.

 

I’ll be sending the signed phone via 3rd party to Dan Ford aka @NetSecrex (CSO at Silent Circle) this week, and he’ll be making contact with @KSActually in order to make the necessary arrangements thereafter.
To @KSActually take some photos and post them on Twitter!
Thanks again to Silent Circle and everyone who had fun with this, some of the entries were hilarious!

More BlackPhone Infos:


.

 

"There's an unequal amount of good and bad in most things. The trick is to figure the ratio and act accordingly." ~ Jester   Copyright © CounterSocial. All Rights Reserved