DHS warns of vulnerabilities in millions of smartphones

Cal Jeffrey

Posts: 4,152   +1,416
Staff member
Facepalm: According to research funded by the US Department of Homeland Security, millions of smartphone users could be at risk of having hackers completely take over their phones. The names of the device manufacturers have not been released yet, but the flawed phones are said to be sold by Verizon, AT&T, T-Mobile, Sprint, and “other carriers.”

During the Black Hat conference in Las Vegas, FifthDomain spoke with Vincent Sritapan, a program manager at the Department of Homeland Security’s Science and Technology Directorate who said the vulnerabilities use privilege-escalation flaws to take over a phone completely.

Virginia-based mobile security firm Kryptowire conducted the research, which was funded by the Critical Infrastructure Resilience Institute, a DHS research arm.

“This is something that can target individuals without their knowledge,” said Kryptowire founder Angelos Stavrou. “[These vulnerabilities] are burrowed deep inside the operating system.”

The flaws can allow hackers to access data, emails, and text messages without even alerting the user. The research was initiated when Kryptowire discovered similar weaknesses in the Blu phones last year. During that investigation, it was able to collect sensitive data from the phone and send it to a third-party without the user knowing. Blu later called it a "false alarm," but apparently not.

"This is something that can target individuals without their knowledge. [They] are burrowed deep inside the operating system."

While it appears on the surface that the problem is OS-related, it apparently goes deeper than that because the exploit only affects phones from specific manufacturers. However with practically all phone makers installing their own flavor of Android on their devices, this is not unexpected.

Kryptowire has not released that names of the device makers for security purposes. However, Stavrou says his company notified them in February of the problem.

“Some manufacturers did not publish their vulnerability disclosure process, and the researchers were initially not sure if the device makers had received the disclosure because Kryptowire did not receive a reply,” Stavrou said.

All affected companies have been made aware of the security hole and are presumably working toward solutions.

Permalink to story.

 
So we have the DHS warning us that the NSA's slOperating system (Android) is and has been compromised? Kind of the crow calling the raven black, here. Of course it's compromised. IOS isn't much better, but chiefly because there's only one flavor of it, making it even easier for outside interference.

It's going to take a lot more than fearism from a government agency to make people care about their own security, alas. Thus far the DHS has done absolutely nothing important, so it comes off as them just whining about their big brother here.
 
and what makes you believe that lineageOS is much secure?
Because the article says "the exploit only affects phones from specific manufacturers". LineageOS does not have a single version which can be installed out of the box. It must be custom-built and maintained per device model. This makes it exceptionally difficult to compromise wide swathes of LineageOS users because everyone uses different phones and LineageOS is carrier-independent.

As a practical matter I cannot say LineageOS is secure for I have not personally audited it. I can only reasonably say that it is more secure than the restrictive black boxes pushed out by carriers. LineageOS is based on AOSP which is open-sourced and updated constantly.
 
Goodie, another rootable smartphone. I feel safer when I can use iptables firewall.
 
Good thing I run LineageOS.
But?

However with practically all phone makers installing their own flavor of Android on their devices, this is not unexpected.
The article uses the words "phone makers" and "manufacturers" when it's more accurate to say "carriers". Seeing as how this vulnerability seems to affect all major U.S. carriers it must mean that all carrier-branded phones carry a common software component which behaves like a backdoor. My conspiracy-senses are tingling.
 
I recently changed- had to- from my old flip to an I d I o t phone, and completely turned off everything but the actual phone (for calls), and the camera (which basically is garbage, I'll take film over digital any day), and even eliminated the Googoo store (yet MORE spyware!). Wanna hack me? Go ahead. Nothing on the phone but numbers (written in my own analog code), and some crappy pix. If I want to use a computer, I use mine, as I KNOW it's secure. Anyone relying on an I d I o t phone (IE: phone zombies) get what they deserve: hacked and profiled.
 
Back