Phones at all major US carriers filled with vulnerabilities, say researchers

Major US phone carriers may have a major problem.

Researchers funded by the Department of Homeland Security discovered security vulnerabilities in mobile devices used by Verizon , AT&T , T-Mobile , Sprint and more, DHS program manager Vincent Sritapan told Fifth Domain at the Black Hat security conference in Las Vegas on Tuesday.

The flaws are built into phones  by manufacturers before they're bought, including a loophole that hackers could potentially exploit to access your data, emails and text messages without you knowing.

The flaws would "escalate privileges and take over the device," Sritapan said, and researchers don't know if hackers have exploited them yet.

In Fifth Domain's report, it says millions of users in the US are likely at risk, citing a source familiar with the research.

The Department hasn't named the manufacturers, but said they were notified as early as February. The researchers funded by the department are from Kryptowire, a mobile security firm. Because the manufacturers didn't all publish the vulnerability in their disclosure process, the researchers weren't sure they received the information, Angelos Stavrou, the founder of Kryptowire, told Fifth Domain. But he confirms they are now all aware.

"This is something that can target individuals without their knowledge," Stavrou said. The vulnerabilities "are burrowed deep inside the operating system," and it is difficult to tell whether they have been exploited.

The research first came about when Kryptowire discovered vulnerabilities in the Blu phone company. The researchers are expected to release more details later this week.

Verizon, AT&T, T-Mobile and Sprint haven't yet responded to CNET's requests for comment.

Cambridge Analytica: Everything you need to know about Facebook's data mining scandal.

iHate: CNET looks at how intolerance is taking over the internet.