DHS warns of vulnerabilities in millions of smartphones

By Cal Jeffrey · 13 replies
Aug 8, 2018
Post New Reply
  1. During the Black Hat conference in Las Vegas, FifthDomain spoke with Vincent Sritapan, a program manager at the Department of Homeland Security’s Science and Technology Directorate who said the vulnerabilities use privilege-escalation flaws to take over a phone completely.

    Virginia-based mobile security firm Kryptowire conducted the research, which was funded by the Critical Infrastructure Resilience Institute, a DHS research arm.

    “This is something that can target individuals without their knowledge,” said Kryptowire founder Angelos Stavrou. “[These vulnerabilities] are burrowed deep inside the operating system.”

    The flaws can allow hackers to access data, emails, and text messages without even alerting the user. The research was initiated when Kryptowire discovered similar weaknesses in the Blu phones last year. During that investigation, it was able to collect sensitive data from the phone and send it to a third-party without the user knowing. Blu later called it a "false alarm," but apparently not.

    "This is something that can target individuals without their knowledge. [They] are burrowed deep inside the operating system."

    While it appears on the surface that the problem is OS-related, it apparently goes deeper than that because the exploit only affects phones from specific manufacturers. However with practically all phone makers installing their own flavor of Android on their devices, this is not unexpected.

    Kryptowire has not released that names of the device makers for security purposes. However, Stavrou says his company notified them in February of the problem.

    “Some manufacturers did not publish their vulnerability disclosure process, and the researchers were initially not sure if the device makers had received the disclosure because Kryptowire did not receive a reply,” Stavrou said.

    All affected companies have been made aware of the security hole and are presumably working toward solutions.

    Permalink to story.

     
  2. merikafyeah

    merikafyeah TS Booster Posts: 160   +97

    Good thing I run LineageOS.
     
    Dustyn likes this.
  3. JaredTheDragon

    JaredTheDragon TS Guru Posts: 387   +250

    So we have the DHS warning us that the NSA's slOperating system (Android) is and has been compromised? Kind of the crow calling the raven black, here. Of course it's compromised. IOS isn't much better, but chiefly because there's only one flavor of it, making it even easier for outside interference.

    It's going to take a lot more than fearism from a government agency to make people care about their own security, alas. Thus far the DHS has done absolutely nothing important, so it comes off as them just whining about their big brother here.
     
    Charles Olson likes this.
  4. sukhwant singh

    sukhwant singh TS Enthusiast Posts: 70   +11

    and what makes you believe that lineageOS is much secure?
     
  5. vincentyu

    vincentyu TS Enthusiast Posts: 22   +8

    Fewer people use it, comparing with Android.
     
  6. Dustyn

    Dustyn TS Booster Posts: 72   +28

    PREACH!
     
  7. merikafyeah

    merikafyeah TS Booster Posts: 160   +97

    Because the article says "the exploit only affects phones from specific manufacturers". LineageOS does not have a single version which can be installed out of the box. It must be custom-built and maintained per device model. This makes it exceptionally difficult to compromise wide swathes of LineageOS users because everyone uses different phones and LineageOS is carrier-independent.

    As a practical matter I cannot say LineageOS is secure for I have not personally audited it. I can only reasonably say that it is more secure than the restrictive black boxes pushed out by carriers. LineageOS is based on AOSP which is open-sourced and updated constantly.
     
    regiq likes this.
  8. Timmeer

    Timmeer TS Rookie

    But?

     
  9. regiq

    regiq TS Booster Posts: 178   +57

    Goodie, another rootable smartphone. I feel safer when I can use iptables firewall.
     
  10. merikafyeah

    merikafyeah TS Booster Posts: 160   +97

    The article uses the words "phone makers" and "manufacturers" when it's more accurate to say "carriers". Seeing as how this vulnerability seems to affect all major U.S. carriers it must mean that all carrier-branded phones carry a common software component which behaves like a backdoor. My conspiracy-senses are tingling.
     
  11. Uncle Al

    Uncle Al TS Evangelist Posts: 4,110   +2,600

    NO WORRIES!!!!! I have yet to hear of anyone hacking my old can & string ......
     
    j05hh and Cal Jeffrey like this.
  12. MikeOD

    MikeOD TS Rookie

    I recently changed- had to- from my old flip to an I d I o t phone, and completely turned off everything but the actual phone (for calls), and the camera (which basically is garbage, I'll take film over digital any day), and even eliminated the Googoo store (yet MORE spyware!). Wanna hack me? Go ahead. Nothing on the phone but numbers (written in my own analog code), and some crappy pix. If I want to use a computer, I use mine, as I KNOW it's secure. Anyone relying on an I d I o t phone (IE: phone zombies) get what they deserve: hacked and profiled.
     
  13. j05hh

    j05hh TS Booster Posts: 165   +40

    MITM attack with scissors :p
     
    Cal Jeffrey and Charles Olson like this.
  14. Cal Jeffrey

    Cal Jeffrey TS Evangelist Topic Starter Posts: 1,080   +266

    That's actually a good one. lol
     

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...