OpsLens

DHS Study: Phones at All Major US Carriers Filled with Vulnerabilities

Research funded by the Department of Homeland Security has found a “slew” of vulnerabilities in mobile devices offered by the four major US cell phone carriers. The vulnerabilities include loopholes that could allow a hacker to gain access to a user’s private communications data, including emails and text messages, without the owner’s knowledge.

Vincent Sritapan, a program manager at the Department of Homeland Security’s Science and Technology Directorate, explained that the flaws allow a user “to escalate privileges and take over the device,” essentially impersonating the identity of the owner. Sritapan said the vulnerabilities have been found in devices used by the carriers Verizon, AT&T, T-Mobile, and Sprint. What’s more disconcerting is that the vulnerabilities are built into devices before a customer purchases the phone. Researchers said it is not clear if hackers have found ways of capitalizing on these threats and that, as of now, there are no specifically known exploits.

The research was conducted by the cyber firm Kryptowire, a Virginia-based mobile security firm funded through the Critical Infrastructure Resilience Institute (CIRI), a Department of Homeland Security research center. Back in 2016, CIRI was spurred to take on investigations into mobile technology and its vulnerabilities. In November of that year, Kryptowire released a report detailing vulnerabilities created in a wide range of mobile phones by the devices’ firmware, a class of programs that monitors the manipulation of hardware, like letting the machine know when a button is pressed or a switch is turned on. The malicious firmware collected sensitive personal data about their users and transmitted this sensitive data to third-party servers. The viruses were able to target specific users and text messages matching remotely-defined keywords. According Kryptowire, a company that specializes in detecting non-compliant software that can violate privacy, the malicious firmware was installed into the phones before packaging, and shipped to customers through well-known vendors such as Best Buy and Amazon. The report ended with the ominous warning: “As smartphones are ubiquitous and, in many cases, a business necessity, our findings underscore the need for more transparency at every stage of the supply chain and increased consumer awareness.”

It seems that DHS and its research partners at CIRI took this alert to heart. If devices with compromised software were being delivered to American’s all over the country, what other threats could be lurking in cell phones being used throughout the United States?

Ironically, the recent study did not uncover anything about planted malware. Instead, the vulnerabilities it did identify were embedded in the structure of the devices themselves. This is a much bigger problem to deal with.

Because the results of this study effects such a wide range of phones, the implications of the findings are huge. Millions of users throughout the United States are at risk of exposure. More importantly, however, is that because the list of at-risk phones is so big, thousands of government employees may also be at risk of exposure.

Risks of Innovation

All of our technological development comes with an inescapable risk. There are dangers that come with these new items, devices, and systems that cannot possibly be foreseen before they manifest themselves. In other words, we have no idea just how dangerous our inventions are until they start breaking things in unsuspecting ways. Obviously, the more powerful the technology, the stronger these unforeseen dangers will be. But even more benign inventions like iPhones and tablets come with their risks. In fact, the world of information technology specifically is extremely problematic in this regard. Because of the complexity of digital platforms and systems, the possibilities of how they can be exploited are endless. Of course this fact is not unknown to the world of IT. New programs and devices go through rigorous testing to ensure their safety. This practice has even sparked entire industries, including the profession that has come to be known as ethical hacking. But even the best team’s analysts can fall victim to oversight. The incredible range of potential weaknesses, hiding in millions of lines of code, is bound to leave problems undiscovered. An associate of mine, a chief operations officer at a prominent cyber firm in Tel Aviv, once related to me, the term “unbreakable” is one that anyone in the IT industry with any sense avoids using. “Smart people come up with great products all the time,” he said, adding, “they go to industry leaders, present their test findings, and declare ‘look, its absolutely foolproof’. The response they get is almost always something like ‘throw it to the academics, let them beat it with a stick for a few years, see if it breaks, then you can say its indestructible.’ Just because they run a few initial tests doesn’t mean no one will find its weaknesses.”

Perfect Timing

The bottom line of the most recent findings released by Kryptowire came at an apropos time.

While the DHS revealed flaws relating to Android-based devices, almost simultaneously, Apple released a statement detailing embedded flaws in its iOS programs. The bugs are none other than the Meltdown and Spectre bugs discovered earlier this year. They allow a rogue program to read kernel memory on a device. This means that if a device became infected with a program designed to exploit these flaws, all the data stored on a machine could be exposed.

The trend of more and more discoveries in the realms of embedded flaws is going to be a major factor in the IT security discussion moving forward. Emerging applications of digital tools in the public sphere such as mobile e-voting will all be test cases for how successfully we can deploy our digital tools in a prudent and safe fashion.