Research funded by the United States Department of Homeland Security (DHS) indicates that potentially millions of smartphones have inherent security vulnerabilities. These security holes are built into the devices offered by all four major wireless carries in the US, including AT&T, Sprint, T-Mobile, and Verizon, though it is not clear if they are being actively exploited.
Vincent Sritapan, a program manager at DHS’s Science and Technology Directorate, told Fifth Domain that the vulnerabilities enable hackers “to escalate privileges and take over” affected devices. That means pretty much everything is up for grabs, including text messages, contacts, emails, and everything else that resides on the phone.
While the affected phones are offered by every major wireless carrier in the US, the researchers did not disclose exactly which models they discovered flaws in, or precisely how many vulnerable devices are out there. However, Sritapan did say that other smaller carriers are likely offering flawed handsets as well. We take that to mean the many mobile virtual network operators (MVNO) that piggyback on the major wireless networks.
Kryptowire, a mobile security firm based in Virginia, conducted the research for DSH.
“This is something that can target individuals without their knowledge,” Fifth Domain founder Angelos Stavrou told Fifth Domain. He also said they “are burrowed deep inside the operating system,” and that it is difficult to know if the deeply rooted flaws have been exploited.
On the bright side, manufacturers have been aware of the vulnerabilities since February. Hopefully that will lead to patches and/or changes in designs going forward.