Department of Homeland Security-funded research by Virginia-based security firm Kryptowire has allegedly discovered major security flaws in numerous phones, according to a report on cybersecurity site Fifth Domain.
According to the report, DHS Science and Technology Directorate program manager Vincent Sritapan said at the Black Hat conference in Las Vegas that the vulnerabilities have been discovered in phones carried by all four major carriers: Verizon, AT&T, T-Mobile, and Sprint. The exact nature of the vulnerabilities were not released, though they allegedly can take control of a targeted device:
The vulnerabilities are built into devices before a customer purchases the phone. Researchers said it is not clear if hackers have exploited the loophole yet.
Department of Homeland Security officials declined to say which manufacturers have the underlying vulnerabilities.
Millions of users in the U.S. are likely at risk, a source familiar with the research said, although the total number is not clear.
… “This is something that can target individuals without their knowledge,” Angelos Stavrou, the founder of Kryptowire told Fifth Domain.
The vulnerabilities are so widespread that government officials are likely using potentially affected phones, Fifth Domain added. Researchers began notifying manufacturers as early as February.
As noted by 9to5Mac, Kryptowire said the research was prompted by concerns about vulnerabilities in phones made by Blu, a manufacturer of low-cost, primarily Android-powered devices. Amazon briefly pulled Blu phones earlier this year, but they returned to the e-commerce giant’s marketplace after the company wrote off the matter as a “false alarm.”
On Wednesday, researchers also told Reuters that Samsung Galaxy S7 smartphones were vulnerable to Meltdown, an exploit in speculative execution, a processing technique where CPUs perform some tasks that might not be needed to reach results faster. Meltdown exploits this process to gain glimpses at protected kernel memory, which could potentially compromise an entire device. Samsung told Reuters it had rolled out preliminary updates for S7 handsets in January, as well as another update in July.
“There are potentially even more phones affected that we don’t know about yet,” Graz Technical University researcher Michael Schwarz told Reuters. “There are potentially hundreds of million of phones out there that are affected by Meltdown and may not be patched because the vendors themselves do not know.”
According to Fifth Domain, researchers are expected to release further details about the vulnerabilities later this week.