Many Cellphones Offered by the Four Major US Carriers Have Built in Vulnerabilities

Discussion in '[H]ard|OCP Front Page News' started by cageymaru, Aug 8, 2018.

  1. cageymaru

    cageymaru [H]ard|News

    Messages:
    18,253
    Joined:
    Apr 10, 2003
    Critical flaws are built into phones sold by the four major U.S. cellphone carriers according to research funded by the Department of Homeland Security (DHS). The flaws allow a hacker to gain access to data, emails, text messages, and "escalate privileges and take over the device" according to Vincent Sritapan a program manager at DHS. Government officials and users outside the U.S. are vulnerable also.

    The vulnerabilities are built into devices before a customer purchases the phone. Researchers said it is not clear if hackers have exploited the loophole yet. "This is something that can target individuals without their knowledge," Angelos Stavrou, the founder of Kryptowire told Fifth Domain.
     
  2. Chupachup

    Chupachup Limp Gawd

    Messages:
    423
    Joined:
    Jan 12, 2014
    Every phone offered should come without preinstalled carrier bundled apps and an operational base level OS that is maintained not by the carrier but the OS developers. Android pushes new security updates and it can be months to more than a year before the carriers incorporate it and push out their own. That needs to stop immediately.
     
  3. HeadRusch

    HeadRusch Gawd

    Messages:
    876
    Joined:
    Jun 8, 2007
    Hackers can get into my phone!? Thank God the Government has studied this.......hopefully they'll come up with some clever licensing fee we can pay them to help combat the problem......
     
    spintroniX likes this.
  4. pcgeekesq

    pcgeekesq [H]ard|Gawd

    Messages:
    1,117
    Joined:
    Apr 23, 2012
    Anyone wanna bet the vulnerabilities were put there to make voting-by-phone easier in West Virginia?
     
    KarsusTG, travisty, scojer and 4 others like this.
  5. Nolan7689

    Nolan7689 Gawd

    Messages:
    778
    Joined:
    Jun 5, 2015
    Shocked! Shocked I say.....well not that shocked.

    I haven’t bought a carrier locked phone in years. Initially expensive but at least I own it outright.
     
    Wrecked Em and xmadror like this.
  6. BlakLanner

    BlakLanner n00bie

    Messages:
    21
    Joined:
    Jul 28, 2016
    My question that wasn't fully explained by the article is if these vulnerabilities are in the carrier-unlocked versions you get straight from the manufacturer or if they are added during the "add carrier drivers and bloatware" process. After dealing with Verizon's bullshit bloatware and locked boot loaders, I lean towards getting my phones straight from the manufacturer and wonder how many of these vulnerabilities are still present if I go that route.
     
    mynamehere and Crackinjahcs like this.
  7. BoogerBomb

    BoogerBomb [H]ardness Supreme

    Messages:
    6,836
    Joined:
    Jan 10, 2003
    Every electronic device in circulation has vulnerabilities that make it hackable.
     
    IdiotInCharge likes this.
  8. BlakLanner

    BlakLanner n00bie

    Messages:
    21
    Joined:
    Jul 28, 2016
    I realize that. No code is ever completely bug free. I am just wondering if the vulnerabilities that are mentioned here are the normal ones baked into the phone's software or if they were in the carrier-specific stuff.
     
    mynamehere likes this.
  9. whatevs

    whatevs Limp Gawd

    Messages:
    173
    Joined:
    Jun 23, 2017
    Holy crap, does the article read like a massive waste of tax payer money. They found a random vulnerability, there are tons published/patched on Android every month. Maybe its the article author that's using click bait wording.
     
    brucethemoose likes this.
  10. BloodyIron

    BloodyIron 2[H]4U

    Messages:
    2,573
    Joined:
    Jul 11, 2005
    Google has shifted a good portion of this to their apps being updated through Google Play for the same reason. Before this shift many devices were left vulnerable as they never received updates to many Google facets. Now, many of these things continue to get updates, but unfortunately they still have a lifespan as newer versions of even Google apps list required minimum Google versions, which completely defeats the whole fucking point...

    Like the Google camera app for example. Newest versions require Android 8... Wtf ..

     
    Chupachup and IdiotInCharge like this.
  11. brucethemoose

    brucethemoose Limp Gawd

    Messages:
    236
    Joined:
    Mar 3, 2018

    I know you're just quoting the article cagey, but IMO thats a misleading title. It's worded like carriers baked backdoors into phones, but as far as I can tell these are just (unintentional) security bugs. Holes like that are found and patched all the time... It's only news if they're a pain to patch, or if they're exploited on a massive scale before being fixed.
     
    IdiotInCharge and Nenu like this.
  12. Lakados

    Lakados Gawd

    Messages:
    590
    Joined:
    Feb 3, 2014
    After looking into a few other sources expanding on the issue it looks like the good people at BLU are at it again. This time it looks like it may be hardware flaws and not the pre loaded spyware they were including back in 2017.
     
  13. Zarathustra[H]

    Zarathustra[H] Pick your own.....you deserve it.

    Messages:
    24,864
    Joined:
    Oct 29, 2000
    That's what happens when there is no emphasis on regular security updates.


    The major carriers should require of all hardware they sell that they keep it up to date via OTA updates such that no device has security patches older than two weeks at any point in it's supported life.
     
    IdiotInCharge likes this.
  14. BlakLanner

    BlakLanner n00bie

    Messages:
    21
    Joined:
    Jul 28, 2016
    The problem with that is that the carriers are often the bottleneck. They don't want to support phones long term because that means you might not buy a new one. I have an HTC 10 right now and it took Verizon months after HTC released Oreo for it to hit my device. My mother's Pixel 2 gets regular security updates since they come straight from Google but the updates that HTC rolls out almost never hits my phone because of Verizon.
     
    IdiotInCharge likes this.
  15. Zarathustra[H]

    Zarathustra[H] Pick your own.....you deserve it.

    Messages:
    24,864
    Joined:
    Oct 29, 2000
    Carriers should have zero involvement in what software gets pushed to devices.

    It should be pushed directly from the OEM without any input or consultation with the carrier.

    Actuslly, better yet, windows model. Android shouldnt be a single binary distribution, and updates should be pushed directly from Google without any involvement from either device OEM's or carriers.

    Carriers should just be a dumb mobile ISP. OEM's should be focusing on the hardware only, without any software involvement other than device drivers.
     
  16. Nolan7689

    Nolan7689 Gawd

    Messages:
    778
    Joined:
    Jun 5, 2015
    People may like to shit on Apple but at least they do do that correctly. Their updates come through regardless of carrier.
     
  17. Dead Parrot

    Dead Parrot [H]ard|Gawd

    Messages:
    1,770
    Joined:
    Mar 4, 2013
    From TFA: " . . . allow hacker to gain access to a user’s data, emails, text messages without the owner’s knowledge". So pretty much what Congress voted to allow ISPs to do on a daily basis?
     
    LakeErieWater likes this.
  18. Dr. Righteous

    Dr. Righteous 2[H]4U

    Messages:
    2,884
    Joined:
    Aug 1, 2007
    This is why my last phone was unlocked. The ass clown antics of Verizon with their updates ruined what was a great phone when purchased. After looking into an upgrade at the Verizon store; and being told "You cannot purchase a good cell phone for less than $600" I walked out. Bought a unlocked Motorola Moto G5 for $240. ROCK'IN PHONE. Works great, no crapware.
     
    Chupachup and IdiotInCharge like this.
  19. trparky

    trparky Gawd

    Messages:
    700
    Joined:
    Jul 23, 2009
    Can I get an Amen up in here? I want my wireless carrier to be nothing more than a dumb pipe, deliver my bits and get the hell out of the way.
    Yep, most definitely. That's one of the main reasons why I went with the iPhone and will never look back. Sure, there's downsides to going with the iPhone but knowing that my device will be patched and updated properly is a serious plus in my book that outweighs the negatives.
     
    IdiotInCharge likes this.
  20. IdiotInCharge

    IdiotInCharge Not the Idiot YOU are Looking for

    Messages:
    6,341
    Joined:
    Jun 13, 2003
    I won't say this in most places, but I'm almost here myself. It's Pixel 3 vs. whatever the 'equivalent' iPhone is when it's upgrade time, probably next year.

    And I most probably will get it unlocked if at all possible (not sure how that works with Apple...).
     
  21. Crackinjahcs

    Crackinjahcs n00bie

    Messages:
    62
    Joined:
    Jan 31, 2018
    This article is almost worthless. It doesn't state whether it is a hardware, firmware, OS, or bundled app vulnerability. The Kryptowire article linked at least clarifies a firmware issue.

    I have AT&T and my phone frequently gets forced updates containing apps I don't want. Going through my phone purging apps and resetting privacy settings has become a new hobby for me.
     
  22. trparky

    trparky Gawd

    Messages:
    700
    Joined:
    Jul 23, 2009
    If you get the iPhone from the Apple Store through the Apple iPhone Upgrade Program you can get a completely unlocked device. I have the non-CDMA version of the iPhone 7 Plus, I can take it to T-Mobile or AT&T with no issues. My brother has an iPhone 7 that he can take anywhere in the world since it's a world phone with support for both legacy CDMA networks and GSM/LTE networks.
     
  23. IdiotInCharge

    IdiotInCharge Not the Idiot YOU are Looking for

    Messages:
    6,341
    Joined:
    Jun 13, 2003
    You didn't mention Verizon, which is what I'm using- is that still an issue? And I'd be getting something newer than the 7 if I were to upgrade from the Pixel unless the Pixel just craps out somehow.

    [the world support is most certainly a selling point for whatever I get- last winter I took my Note 4, and that experience was as horrific as it sounds, not the least of which due to the Note 4 itself being horrific...]
     
  24. Nolan7689

    Nolan7689 Gawd

    Messages:
    778
    Joined:
    Jun 5, 2015
    I have an unlocked iPhone direct from Apples website, and am using it with Verizon. No worries for you on that, you’ll just pop in the Verizon Simcard and should be good to go.
     
    IdiotInCharge likes this.
  25. IdiotInCharge

    IdiotInCharge Not the Idiot YOU are Looking for

    Messages:
    6,341
    Joined:
    Jun 13, 2003
    Awesome, thanks!
     
  26. xmadror

    xmadror Limp Gawd

    Messages:
    359
    Joined:
    Feb 13, 2012
    Can't say I miss dealing with a carrier locked phone.
    Its a little more work for me because I have to flash my update manually from TWRP (I can still download it OTA style).
    But its worth it for me. Even if I got a android one (xiaomi mi a1) I still had to root because of some other issue with the stock rom.
    Wasn't too hard to learn how, anyone here should be able to do it if so inclined. That is unless you can't unlock your bootloader.
     
  27. katanaD

    katanaD [H]ard|Gawd

    Messages:
    1,385
    Joined:
    Nov 15, 2016
    its always been my impression that the biggest "built in" vulnerability of cell phones has been the ON button. Once pressed, security rapidly goes down from there
     
  28. Mega6

    Mega6 Gawd

    Messages:
    755
    Joined:
    Aug 13, 2017
    Homelands security calling - you are all vulnerable cell phone hackers but we can't disclose anything more. Maybe you can ask the NSA?
     
  29. trparky

    trparky Gawd

    Messages:
    700
    Joined:
    Jul 23, 2009
    What's interesting is that if you get a Verizon compatible iPhone from the Apple Store you can take that same iPhone and go to AT&T, Sprint, or T-Mobile.
     
  30. Zarathustra[H]

    Zarathustra[H] Pick your own.....you deserve it.

    Messages:
    24,864
    Joined:
    Oct 29, 2000
    Yep.

    That's because they can count on their users to demand their products no matter what. Android manufacturers in general, and Google specifically unfortunately don't have as much leverage to force the carriers to do what they wan't. One of the benefits of a rabid fan base I guess.
     
  31. Nolan7689

    Nolan7689 Gawd

    Messages:
    778
    Joined:
    Jun 5, 2015
    Ah yes, and there’s the shitting on Apple.
     
    trparky likes this.
  32. trparky

    trparky Gawd

    Messages:
    700
    Joined:
    Jul 23, 2009
    Even when it's obvious that Apple is doing something better than Android the Android fans come out and shit on them for no other reason than to shit on them. Now, I'm not saying that Apple is 100% great; no sir. It's just that when it comes to software support Apple iOS hands down wins against Android especially so in the software updates department. The fact that Apple pretty much told the carriers to go fuck themselves is why Apple has the control that they have whereas the Android OEMs seem to bend over backwards to mutate Android into a piece of garbage by the carriers.

    What I don't get is that if the Android OEMs have such a huge market share why don't they also pull an Apple and tell the carriers to go fuck themselves?
    The Android OEMs, especially the likes of Samsung, have more than enough clout to do just that.

    Hey Samsung, let's see you start using that market share for something other than bragging rights.
     
  33. Zarathustra[H]

    Zarathustra[H] Pick your own.....you deserve it.

    Messages:
    24,864
    Joined:
    Oct 29, 2000
    I don't see my comment as shitting on Apple. It's just a statement of fact. They have a loyal demanding fan base and this gives them a lot of leverage.

    They can tell the carriers that a precondition to selling their phones is that Apple retains control over updates.

    No other device manufacturer currently has that kind of power.
     
  34. Zarathustra[H]

    Zarathustra[H] Pick your own.....you deserve it.

    Messages:
    24,864
    Joined:
    Oct 29, 2000
    I'm not convinced Samsung does. Verizon would likely tell them to pound sand and form a closer partnership with LG or HTC or one of the many other OEM's like that.

    They can afford to lose an Android brand, because there are alternatives.

    Now, if Google switched to a single binary release covering all Android based devices, they would have more clout and would be able to do something like this.

    Again, using Verizon as an example. They could afford to lose one Android based device OEM. They likely would not risk losing them all.
     
  35. trparky

    trparky Gawd

    Messages:
    700
    Joined:
    Jul 23, 2009
    Samsung controls more than half of the Android market. Damn near every Android device that I see in people's hands is a Samsung.
     
  36. Zarathustra[H]

    Zarathustra[H] Pick your own.....you deserve it.

    Messages:
    24,864
    Joined:
    Oct 29, 2000
    I feel like that is more because of how they are displayed in stores. Remember, we on here are anomalies. We do our research, decide on what we want and then go to the retailer.

    Most people don't have a clue, don't know what they want and just go to the store and pick something. If they have any preconceived notions at all, it is probably that they want Apple. Otherwise they are typically just picking a phone without knowing much about it at all.

    The average buyer of tech is an absolute moron who doesn't know shit about shit.

    So, if - say - Verizon were to stop displaying Samsung phones in their stores, their sales would likely be mostly unaffected. People would walk in and just buy something else.
     
  37. trparky

    trparky Gawd

    Messages:
    700
    Joined:
    Jul 23, 2009
    But Samsung also advertises on TV as much as Apple does. People usually buy what they see a commercial on TV about.
    That's very true.