New Firmware Bugs Discovered on Phones Used by All Major Carriers
By LTC Steven Howard, U.S. Army (Ret.)
The U.S. Department of Homeland Security announced on Tuesday that mobile devices used by AT&T, Sprint, Verizon and similar carriers contain serious software vulnerabilities. The announcement was made at the Black Hat security conference last week in Las Vegas.
Speaking to the publication Fifth Domain, Vincent Sritapan said that the bugs allow a user “to escalate privileges and take over the device.” Sritapan is a program manager at the Department of Homeland Security’s Science and Technology Directorate.
DHS declined to name which manufacturers possess the vulnerabilities. However, Sritapan noted that those companies were notified of the problem in February.
DHS Started Research into Software Bugs after Problems with Blu Phones
DHS initiated the research after software vulnerabilities were discovered in Blu phones. Security firm Kryptowire identified several models of Android phones with firmware that collected sensitive personal data about users and transmitted this data to third-party servers without disclosure or users’ consent.
Interestingly, this type of behavior bypasses mobile antivirus tools. Antivirus tools assume that any software and firmware that ships with a phone coming from a factory is not malicious and whitelists it as safe to use.
Unauthorized Data from Users’ Phones Sent to Shanghai Server
In the case of the Blu phone company, the information was collected and disguised with multiple layers of encryption. The data was then transmitted over secure web protocols to a server located in Shanghai, China.
DHS researchers plan to release more information later this week.