Researchers funded by the Department of Homeland Security say that they have discovered major security vulnerabilities likely to affect millions of US smartphones …
The flaws have been found in unspecified phones sold by Verizon, AT&T, T-Mobile, Sprint and other carriers. It seems likely that the affected phones are Android devices, but some vulnerabilities have been found to affect iOS devices also, and the DHS isn’t yet saying one way or the other.
FifthDomain reports that the privilege-escalation flaws allow a complete take-over of devices, including access to emails and text messages without the owner’s knowledge.
The research was conducted by Kryptowire, a Virginia-based mobile security firm and funded through the Critical Infrastructure Resilience Institute, a Department of Homeland Security research center.
The flaws allow a user “to escalate privileges and take over the device,” Vincent Sritapan, a program manager at the Department of Homeland Security’s Science and Technology Directorate told Fifth Domain during the Black Hat conference in Las Vegas.
The vulnerabilities are built into devices before a customer purchases the phone.
Officials have so far declined to name the makes and models of affected phones, but the numbers cited suggest that they will include popular ones. Manufacturers were informed back in February, and it is expected that more details will be revealed to the public later this week.
The research was prompted by the discover of a security flaw in Blu phones last year. Amazon briefly stopped selling the phones following reports of a serious security issue, which was soon dismissed by the company as a ‘false alarm.’ It appears this dismissal may have been premature.
Separately, Reuters reports that Samsung Galaxy S7 phones have been found to be susceptible to the Meltdown vulnerability, which could allow an attacker access to data processed by the CPU. Samsung originally said that it had patched its phones against Meltdown in January and again in July, but it seems that these patches have not proven sufficient.