Many Cellphones Offered by the Four Major US Carriers Have Built in Vulnerabilities

[cageymaru]

Critical flaws are built into phones sold by the four major U.S. cellphone carriers according to research funded by the Department of Homeland Security (DHS). The flaws allow a hacker to gain access to data, emails, text messages, and "escalate privileges and take over the device" according to Vincent Sritapan a program manager at DHS. Government officials and users outside the U.S. are vulnerable also.

The vulnerabilities are built into devices before a customer purchases the phone. Researchers said it is not clear if hackers have exploited the loophole yet. "This is something that can target individuals without their knowledge," Angelos Stavrou, the founder of Kryptowire told Fifth Domain.

 

[Chupachup]

Every phone offered should come without preinstalled carrier bundled apps and an operational base level OS that is maintained not by the carrier but the OS developers. Android pushes new security updates and it can be months to more than a year before the carriers incorporate it and push out their own. That needs to stop immediately.

 

[HeadRusch]

Hackers can get into my phone!? Thank God the Government has studied this.......hopefully they'll come up with some clever licensing fee we can pay them to help combat the problem......

 

[pcgeekesq]

Anyone wanna bet the vulnerabilities were put there to make voting-by-phone easier in West Virginia?

 

[Nolan7689]

Shocked! Shocked I say.....well not that shocked.

I haven’t bought a carrier locked phone in years. Initially expensive but at least I own it outright.

 

[BlakLanner]

My question that wasn't fully explained by the article is if these vulnerabilities are in the carrier-unlocked versions you get straight from the manufacturer or if they are added during the "add carrier drivers and bloatware" process. After dealing with Verizon's bullshit bloatware and locked boot loaders, I lean towards getting my phones straight from the manufacturer and wonder how many of these vulnerabilities are still present if I go that route.

 

[BoogerBomb]

Every electronic device in circulation has vulnerabilities that make it hackable.

 

[BlakLanner]

Every electronic device in circulation has vulnerabilities that make it hackable.

I realize that. No code is ever completely bug free. I am just wondering if the vulnerabilities that are mentioned here are the normal ones baked into the phone's software or if they were in the carrier-specific stuff.

 

[whatevs]

Holy crap, does the article read like a massive waste of tax payer money. They found a random vulnerability, there are tons published/patched on Android every month. Maybe its the article author that's using click bait wording.

 

[BloodyIron]

Google has shifted a good portion of this to their apps being updated through Google Play for the same reason. Before this shift many devices were left vulnerable as they never received updates to many Google facets. Now, many of these things continue to get updates, but unfortunately they still have a lifespan as newer versions of even Google apps list required minimum Google versions, which completely defeats the whole fucking point...

Like the Google camera app for example. Newest versions require Android 8... Wtf ..

Every phone offered should come without preinstalled carrier bundled apps and an operational base level OS that is maintained not by the carrier but the OS developers. Android pushes new security updates and it can be months to more than a year before the carriers incorporate it and push out their own. That needs to stop immediately.

 

[AlphaAtlas]

built into

I know you're just quoting the article cagey, but IMO thats a misleading title. It's worded like carriers baked backdoors into phones, but as far as I can tell these are just (unintentional) security bugs. Holes like that are found and patched all the time... It's only news if they're a pain to patch, or if they're exploited on a massive scale before being fixed.

 

[Lakados]

After looking into a few other sources expanding on the issue it looks like the good people at BLU are at it again. This time it looks like it may be hardware flaws and not the pre loaded spyware they were including back in 2017.

 

[Zarathustra[H]]

That's what happens when there is no emphasis on regular security updates.


The major carriers should require of all hardware they sell that they keep it up to date via OTA updates such that no device has security patches older than two weeks at any point in it's supported life.

 

[BlakLanner]

The major carriers should require of all hardware they sell that they keep it up to date via OTA updates such that no device has security patches older than two weeks at any point in it's supported life.

The problem with that is that the carriers are often the bottleneck. They don't want to support phones long term because that means you might not buy a new one. I have an HTC 10 right now and it took Verizon months after HTC released Oreo for it to hit my device. My mother's Pixel 2 gets regular security updates since they come straight from Google but the updates that HTC rolls out almost never hits my phone because of Verizon.

 

[Zarathustra[H]]

The problem with that is that the carriers are often the bottleneck. They don't want to support phones long term because that means you might not buy a new one. I have an HTC 10 right now and it took Verizon months after HTC released Oreo for it to hit my device. My mother's Pixel 2 gets regular security updates since they come straight from Google but the updates that HTC rolls out almost never hits my phone because of Verizon.

Carriers should have zero involvement in what software gets pushed to devices.

It should be pushed directly from the OEM without any input or consultation with the carrier.

Actuslly, better yet, windows model. Android shouldnt be a single binary distribution, and updates should be pushed directly from Google without any involvement from either device OEM's or carriers.

Carriers should just be a dumb mobile ISP. OEM's should be focusing on the hardware only, without any software involvement other than device drivers.

 

[Nolan7689]

Carriers should have zero involvement in what software gets pushed to devices.

It should be pushed directly from the OEM without any input or consultation with the carrier.

Actuslly, better yet, windows model. Android shouldnt be a single binary distribution, and updates should be pushed directly from Google without any involvement from either device OEM's or carriers.

Carriers should just be a dumb mobile ISP. OEM's should be focusing on the hardware only, without any software involvement other than device drivers.

People may like to shit on Apple but at least they do do that correctly. Their updates come through regardless of carrier.

 

[Dead Parrot]

From TFA: " . . . allow hacker to gain access to a user’s data, emails, text messages without the owner’s knowledge". So pretty much what Congress voted to allow ISPs to do on a daily basis?

 

[Dr. Righteous]

Every phone offered should come without preinstalled carrier bundled apps and an operational base level OS that is maintained not by the carrier but the OS developers. Android pushes new security updates and it can be months to more than a year before the carriers incorporate it and push out their own. That needs to stop immediately.

This is why my last phone was unlocked. The ass clown antics of Verizon with their updates ruined what was a great phone when purchased. After looking into an upgrade at the Verizon store; and being told "You cannot purchase a good cell phone for less than $600" I walked out. Bought a unlocked Motorola Moto G5 for $240. ROCK'IN PHONE. Works great, no crapware.

 

[trparky]

Carriers should have zero involvement in what software gets pushed to devices. ... Carriers should just be a dumb mobile ISP.

Can I get an Amen up in here? I want my wireless carrier to be nothing more than a dumb pipe, deliver my bits and get the hell out of the way.

People may like to shit on Apple but at least they do do that correctly. Their updates come through regardless of carrier.

Every phone offered should come without preinstalled carrier bundled apps and an operational base level OS that is maintained not by the carrier but the OS developers. Android pushes new security updates and it can be months to more than a year before the carriers incorporate it and push out their own. That needs to stop immediately.

Yep, most definitely. That's one of the main reasons why I went with the iPhone and will never look back. Sure, there's downsides to going with the iPhone but knowing that my device will be patched and updated properly is a serious plus in my book that outweighs the negatives.

 

[IdiotInCharge]

Yep, most definitely. That's one of the main reasons why I went with the iPhone and will never look back. Sure, there's downsides to going with the iPhone but knowing that my device will be patched and updated properly is a serious plus in my book that outweighs the negatives.

I won't say this in most places, but I'm almost here myself. It's Pixel 3 vs. whatever the 'equivalent' iPhone is when it's upgrade time, probably next year.

And I most probably will get it unlocked if at all possible (not sure how that works with Apple...).

 

[Crackinjahcs]

This article is almost worthless. It doesn't state whether it is a hardware, firmware, OS, or bundled app vulnerability. The Kryptowire article linked at least clarifies a firmware issue.

I have AT&T and my phone frequently gets forced updates containing apps I don't want. Going through my phone purging apps and resetting privacy settings has become a new hobby for me.

 

[trparky]

And I most probably will get it unlocked if at all possible (not sure how that works with Apple...).

If you get the iPhone from the Apple Store through the Apple iPhone Upgrade Program you can get a completely unlocked device. I have the non-CDMA version of the iPhone 7 Plus, I can take it to T-Mobile or AT&T with no issues. My brother has an iPhone 7 that he can take anywhere in the world since it's a world phone with support for both legacy CDMA networks and GSM/LTE networks.

 

[IdiotInCharge]

If you get the iPhone from the Apple Store through the Apple iPhone Upgrade Program you can get a completely unlocked device. I have the non-CDMA version of the iPhone 7 Plus, I can take it to T-Mobile or AT&T with no issues. My brother has an iPhone 7 that he can take anywhere in the world since it's a world phone with support for both legacy CDMA networks and GSM/LTE networks.

You didn't mention Verizon, which is what I'm using- is that still an issue? And I'd be getting something newer than the 7 if I were to upgrade from the Pixel unless the Pixel just craps out somehow.

[the world support is most certainly a selling point for whatever I get- last winter I took my Note 4, and that experience was as horrific as it sounds, not the least of which due to the Note 4 itself being horrific...]

 

[Nolan7689]

You didn't mention Verizon, which is what I'm using- is that still an issue? And I'd be getting something newer than the 7 if I were to upgrade from the Pixel unless the Pixel just craps out somehow.

[the world support is most certainly a selling point for whatever I get- last winter I took my Note 4, and that experience was as horrific as it sounds, not the least of which due to the Note 4 itself being horrific...]

I have an unlocked iPhone direct from Apples website, and am using it with Verizon. No worries for you on that, you’ll just pop in the Verizon Simcard and should be good to go.

 

[IdiotInCharge]

I have an unlocked iPhone direct from Apples website, and am using it with Verizon. No worries for you on that, you’ll just pop in the Verizon Simcard and should be good to go.

Awesome, thanks!

 

[xmadror]

Can't say I miss dealing with a carrier locked phone.
Its a little more work for me because I have to flash my update manually from TWRP (I can still download it OTA style).
But its worth it for me. Even if I got a android one (xiaomi mi a1) I still had to root because of some other issue with the stock rom.
Wasn't too hard to learn how, anyone here should be able to do it if so inclined. That is unless you can't unlock your bootloader.

 

[katanaD]

its always been my impression that the biggest "built in" vulnerability of cell phones has been the ON button. Once pressed, security rapidly goes down from there

 

[Mega6]

Homelands security calling - you are all vulnerable cell phone hackers but we can't disclose anything more. Maybe you can ask the NSA?

 

[trparky]

What's interesting is that if you get a Verizon compatible iPhone from the Apple Store you can take that same iPhone and go to AT&T, Sprint, or T-Mobile.

 

[Zarathustra[H]]

People may like to shit on Apple but at least they do do that correctly. Their updates come through regardless of carrier.

Yep.

That's because they can count on their users to demand their products no matter what. Android manufacturers in general, and Google specifically unfortunately don't have as much leverage to force the carriers to do what they wan't. One of the benefits of a rabid fan base I guess.

 

[Nolan7689]

Yep.

That's because they can count on their users to demand their products no matter what. Android manufacturers in general, and Google specifically unfortunately don't have as much leverage to force the carriers to do what they wan't. One of the benefits of a rabid fan base I guess.

Ah yes, and there’s the shitting on Apple.

 

[trparky]

Ah yes, and there’s the shitting on Apple.

Even when it's obvious that Apple is doing something better than Android the Android fans come out and shit on them for no other reason than to shit on them. Now, I'm not saying that Apple is 100% great; no sir. It's just that when it comes to software support Apple iOS hands down wins against Android especially so in the software updates department. The fact that Apple pretty much told the carriers to go fuck themselves is why Apple has the control that they have whereas the Android OEMs seem to bend over backwards to mutate Android into a piece of garbage by the carriers.

What I don't get is that if the Android OEMs have such a huge market share why don't they also pull an Apple and tell the carriers to go fuck themselves?

You either accept these Android devices as we made them or... yeah, we're going to go to another carrier that agreed to our terms. Hope you like losing customers!!!

The Android OEMs, especially the likes of Samsung, have more than enough clout to do just that.

Hey Samsung, let's see you start using that market share for something other than bragging rights.

 

[Zarathustra[H]]

Ah yes, and there’s the shitting on Apple.

I don't see my comment as shitting on Apple. It's just a statement of fact. They have a loyal demanding fan base and this gives them a lot of leverage.

They can tell the carriers that a precondition to selling their phones is that Apple retains control over updates.

No other device manufacturer currently has that kind of power.

 

[Zarathustra[H]]

What I don't get is that if the Android OEMs have such a huge market share why don't they also pull an Apple and tell the carriers to go fuck themselves?

The Android OEMs, especially the likes of Samsung, have more than enough clout to do just that.

I'm not convinced Samsung does. Verizon would likely tell them to pound sand and form a closer partnership with LG or HTC or one of the many other OEM's like that.

They can afford to lose an Android brand, because there are alternatives.

Now, if Google switched to a single binary release covering all Android based devices, they would have more clout and would be able to do something like this.

Again, using Verizon as an example. They could afford to lose one Android based device OEM. They likely would not risk losing them all.

 

[trparky]

I'm not convinced Samsung does. Verizon would likely tell them to pound sand and form a closer partnership with LG or HTC or one of the many other OEM's like that.

Samsung controls more than half of the Android market. Damn near every Android device that I see in people's hands is a Samsung.

 

[Zarathustra[H]]

Samsung controls more than half of the Android market. Damn near every Android device that I see in people's hands is a Samsung.

I feel like that is more because of how they are displayed in stores. Remember, we on here are anomalies. We do our research, decide on what we want and then go to the retailer.

Most people don't have a clue, don't know what they want and just go to the store and pick something. If they have any preconceived notions at all, it is probably that they want Apple. Otherwise they are typically just picking a phone without knowing much about it at all.

The average buyer of tech is an absolute moron who doesn't know shit about shit.

So, if - say - Verizon were to stop displaying Samsung phones in their stores, their sales would likely be mostly unaffected. People would walk in and just buy something else.

 

[trparky]

I feel like that is more because of how they are displayed in stores.

But Samsung also advertises on TV as much as Apple does. People usually buy what they see a commercial on TV about.

The average buyer of tech is an absolute moron who doesn't know shit about shit.

That's very true.