Spy Phone: Hands On With The Punkt MP-02

At first glance, the latest "dumb" phone from Swiss company Punkt Tronics AG is an attractive option for consumers seeking privacy and simplicity in the smartphone era. The MP-02 has no cameras, and it won't run any apps. Its Qualcomm Snapdragon 210 (entry-level, low performance) processor is incredibly efficient. We bought an MP-02, hoping we'd fall in love. But beneath the adorable polycarbonate casing and backlit keys lies a privacy nightmare.

Suspicious Tech

The MP-02 includes both GPS (US) and GLONASS (Russia), as well as gravity and gyroscopic sensors, and a digital compass. Suspiciously, none of the applications on the phone appear to utilize these sensors, and Punkt would not tell us why they were included in the phone.

Turn the phone on, and you'll see a BlackBerry Secure logo flash across the screen. That's because the MP-02 utilizes BlackBerry hardware commonly known as a Trusted Execution Environment, designed to maintain the integrity and security of the operating system.

In July 2018, we reached out to Punkt to find out just how secure that hardware really is. Thomas Dye, VP of Licensing & Product Management at BlackBerry told us the MP-02 "will be encrypted by default", but when pressed on the specific encryption methods, refused to comment.

In our correspondence, we noted that BlackBerry's IoT and Mobile licensing program employs an encryption standard known as FIPS 140-2, using HMAC-SHA-1 integrity checks, considered obsolete as of 2017 (the National Institute of Standards and Technology now recommends SHA-2).

Legal Liabilities

Mr. Dye also refused to comment on BlackBerry's lawful access policies,

BlackBerry may receive requests from legal authorities for lawful access assistance. We are guided by appropriate legal processes and publicly disclosed lawful access principles in this regard ... only our enterprise clients have control over the encryption keys for these communications.

It appears that BlackBerry maintains a "no-trust" posture for its Enterprise clients, but will assist law enforcement in gaining access to consumer devices, including when served a National Security Letter (NSL) from U.S. government agencies. In 2016, Dutch police claimed to have cracked BlackBerry encryption.

Passcodes on the MP-02 are limited to six digits (numbers only, despite the phone's capable T9 keypad). Such a poor security policy will likely benefit Israeli firm Cellebrite, which supplies law enforcement agencies with device cracking tools.

Phoning Home

Before inserting a SIM card, we connected the MP-02 to a MITM wireless access point to capture traffic from the phone. It immediately made dozens of repeated connections to the following domains, both sending and receiving data:

www.google.com play.googleapis.com connectivitycheck.gstatic.com app.fota.digitimetech.com 2.android.pool.ntp.org

Note that digitimetech.com is owned by a Chinese firmware distribution company, Shenzhen Digitime Technology Co. Ltd., a fact the Swiss phone maker doesn't openly advertise. It would appear that Punkt does not deliver software updates directly, but uses a foreign third-party in a country known for embedding malware and exfiltrating data.

We were also shocked to find that on a phone with absolutely no Google apps, Punkt has loaded what appears to be stock Android (AOSP 8.1.0), sending a constant stream of users' data to a company known for global espionage.


Punkt promised the world a modern, minimalist design built on the principles of security and privacy, but it's clear the MP-02 was phoned in. Their website offers no firmware downloads, no software release schedules, and no proof of a secure supply chain. Consumers who value their privacy and security should avoid this phone.

Executives might imagine they've established a cool new tech company, but the truth is that Punkt will never be more than a design shop. And they're deep in denial.

Published January 28, 2019 by Ethan F Grant