The vendor area at Black Hat goes by the name of The Business Hall, and that sums it up. It is full of security companies, large and small, pitching their products in typical trade show fashion. The vendor area at Defcon is not like that. It is a jumble of vendors selling hacker equipment, lock picking tools, black T-shirts with cool slogans, books, education, and subversive ideas. Over in one corner is a Tesla, because Elon Musk is cool. Missing for the past two years is the Homeland Security recruiting booth, and this year I don’t see and of the spy cameras disguised as hats, sunglasses, and watches, that were popular last year. Nonconsensual surveillance is out of fashion here.
My vote for the coolest new product this year goes to the Blackphone, a high security Android based smartphone available for $600 (cash only). I say “Android based” because the operating system has been modified, and rebranded as PrivatOS. The most significant modification seems to be the addition of a Security Center, which lets you to limit the privileges available to each app, without having to disable the app completely. You may have seen the viral message going around that complains about wide ranging privileges requested by the Facebook Messenger app for Android. Snopes rates this a mixture of true and false. It’s true that the app requests a lot of privileges, but no more than you have already given to Facebook if you are running that app. Here’s how John McAfee’s DCentral1 app rates them. The more points, the more privacy invading privileges the app requests. As you can see, Facebook is rated worse than Facebook Messenger, which is tied with their rival OTT messaging service WhatsApp. If this bothers you, you can use the Blackphone to give Facebook Messenger just the privileges it needs to let you chat with your Facebook friends, but not to access your phone or SMS services.
As well as the operating system mods, Blackphone comes with various security apps installed, including the Silent Circle suite, which allow end to end encrypted voice and text communications with other Silent Circle users. For cloud storage, Spider Oak is supplied. Files stored on Spider Oak are encrypted before being uploaded, so that even if their servers or network are compromised, your data is safe. A Blackphone purchase also includes subscriptions to these services, but does not require buying a phone company plan. It’s up to you to sign up with a GSM compatible carrier. In the US that’s AT&T and T-Mobile. Burner SIMs from ReadySIM also work, as that is reselling T-Mobile’s network, so you can change your phone number every week if you want. You are not forced to encrypt the data on the phone itself, but the setup wizard will nag you repeatedly if you don’t. As a final layer of security the company itself is incorporated in Switzerland, putting it beyond reach of US search warrants and court orders.
Physically the phone itself is satisfying. It’s black (of course) and so is the default screen background. It’s slim (just one third of an inch thick) and feels elegant in the hand. It could well become as much of a status symbol as the early iPhones were, a way to declare “my data is more important than your data”. My own feeling is that some of the security features in the Blackphone should have been built into the Android operating system from the start. Perhaps if it is a success, Google may decide to include them in a future release.
As I learned from leading a session at RSA earlier this year, he open nature of the Android makes it less secure off the shelf than the iPhone. However, if you need military level security, the iPhone may not be able to provide that, but if you put enough effort into the Android you can make it secure enough. While the Blackphone is aimed at the individual consumer, I expect there will also be a lot of interest from corporations desiring better security than is available from off-the-shelf smartphones.
I haven’t used this phone or investigated it in detail, so I can’t confirm how well it works in practice. However, I think the ideas behind it are really interesting, so if you are looking for a more secure Android implementation for personal or corporate use, you should certainly take a look at Blackphone.