Phones at all major US carriers filled with vulnerabilities, say researchers

Manufacturers are building in flaws that could expose your data to hackers, according to research backed by the Department of Homeland Security.

Jennifer Bisset
Jennifer Bisset
Jennifer Bisset Former Senior Editor / Culture
Jennifer Bisset was a senior editor for CNET. She covered film and TV news and reviews. The movie that inspired her to want a career in film is Lost in Translation. She won Best New Journalist in 2019 at the Australian IT Journalism Awards.
Expertise Film and TV Credentials
  • Best New Journalist 2019 Australian IT Journalism Awards
Jennifer Bisset
2 min read
Cell phones
Getty Images

Major US phone carriers may have a major problem.

Researchers funded by the Department of Homeland Security discovered security vulnerabilities in mobile devices used by Verizon , AT&T , T-Mobile , Sprint and more, DHS program manager Vincent Sritapan told Fifth Domain at the Black Hat security conference in Las Vegas on Tuesday.

The flaws are built into phones  by manufacturers before they're bought, including a loophole that hackers could potentially exploit to access your data, emails and text messages without you knowing.

The flaws would "escalate privileges and take over the device," Sritapan said, and researchers don't know if hackers have exploited them yet.

In Fifth Domain's report, it says millions of users in the US are likely at risk, citing a source familiar with the research.

The Department hasn't named the manufacturers, but said they were notified as early as February. The researchers funded by the department are from Kryptowire, a mobile security firm. Because the manufacturers didn't all publish the vulnerability in their disclosure process, the researchers weren't sure they received the information, Angelos Stavrou, the founder of Kryptowire, told Fifth Domain. But he confirms they are now all aware.

"This is something that can target individuals without their knowledge," Stavrou said. The vulnerabilities "are burrowed deep inside the operating system," and it is difficult to tell whether they have been exploited.

The research first came about when Kryptowire discovered vulnerabilities in the Blu phone company. The researchers are expected to release more details later this week.

Verizon, AT&T, T-Mobile and Sprint haven't yet responded to CNET's requests for comment.

Cambridge Analytica: Everything you need to know about Facebook's data mining scandal.

iHate: CNET looks at how intolerance is taking over the internet.