Facepalm: According to research funded by the US Department of Homeland Security, millions of smartphone users could be at risk of having hackers completely take over their phones. The names of the device manufacturers have not been released yet, but the flawed phones are said to be sold by Verizon, AT&T, T-Mobile, Sprint, and “other carriers.”
During the Black Hat conference in Las Vegas, FifthDomain spoke with Vincent Sritapan, a program manager at the Department of Homeland Security’s Science and Technology Directorate who said the vulnerabilities use privilege-escalation flaws to take over a phone completely.
Virginia-based mobile security firm Kryptowire conducted the research, which was funded by the Critical Infrastructure Resilience Institute, a DHS research arm.
“This is something that can target individuals without their knowledge,” said Kryptowire founder Angelos Stavrou. “[These vulnerabilities] are burrowed deep inside the operating system.”
The flaws can allow hackers to access data, emails, and text messages without even alerting the user. The research was initiated when Kryptowire discovered similar weaknesses in the Blu phones last year. During that investigation, it was able to collect sensitive data from the phone and send it to a third-party without the user knowing. Blu later called it a "false alarm," but apparently not.
"This is something that can target individuals without their knowledge. [They] are burrowed deep inside the operating system."
While it appears on the surface that the problem is OS-related, it apparently goes deeper than that because the exploit only affects phones from specific manufacturers. However with practically all phone makers installing their own flavor of Android on their devices, this is not unexpected.
Kryptowire has not released that names of the device makers for security purposes. However, Stavrou says his company notified them in February of the problem.
“Some manufacturers did not publish their vulnerability disclosure process, and the researchers were initially not sure if the device makers had received the disclosure because Kryptowire did not receive a reply,” Stavrou said.
All affected companies have been made aware of the security hole and are presumably working toward solutions.