For years now, we have known that hackers are constantly trying to gain access to our computers. As a result, companies and individuals have gone to great lengths to protect their systems with anti-virus and anti-malware programs, firewalls, VPNs, and many other tools.
We have largely ignored, however, securing a smaller computer that we carry around with us each and every day—our mobile phones and tablets. Two new studies have shown many people are not doing enough to protect these devices, which are shipping out of factories with vulnerabilities.
Study shows specific Android vulnerabilities
A recent study by Kryptowire found serious hacking vulnerabilities currently exist in some Android mobile devices. Specifically, a series of BLU model smartphones popular with retailers including Best Buy and Amazon are at risk for revealing user’s personal data. Kryptowire found these phones have firmware that will collect sensitive personal data and then transmit it to third-party servers.
And all of this is done without users’ permission and even without their knowledge. A particularly worrisome feature of this firmware is that these third parties can have access to:
– full text messages,
– contact lists,
– phone numbers,
– call history
Additionally, the firmware allows for remote changes to the phone to be made:
– reprogram the phones remotely,
– execute remote commands,
– collect information regarding device location, potentially letting the outsiders track phone owners’ movements.
And all of this was done by bypassing the Android permission model, keeping phones owners in the dark as to what was going on.
Government study reveals even bigger concern
As a result of this study, the Department of Homeland Security (DHS) issued its own research that showed even more vulnerabilities in other brands of mobile devices, including “loopholes” that were pre-loaded on the devices that could give a hacker “access to a user’s data, emails, [and] text messages without the owner’s knowledge.” Once a hacker gains access to the phone, he can essentially turn off the security settings and take over control of the device.
Your vulnerability is out of your hands with these devices
This problem is particularly challenging because, unlike computer hacking where the vulnerability could be due to user behavior — such as visiting malware sites or using unsecured Wi-Fi connections — the vulnerabilities here are in the device when it leaves the factory.
Unlike Kryptowire, DHS has not revealed specific devices that are affected, possibly to avoid tipping off hackers. However, DHS did reveal that the devices include phones offered by the four major cell phone service providers (Verizon, AT&T, T-Mobile, and Sprint) as well as other carriers. Because of the widespread availability of these devices, it is estimated that millions of people are at risk and don’t even know it.
An international threat that also puts government officials at risk
This problem is not limited to U.S. phones, but is considered an international threat. Even more troubling is the belief that some of the devices at risk may be used by U.S. government officials, potentially leaving secured or sensitive data open to hackers.
All of the affected companies were notified of the vulnerabilities in February, but it is currently not clear if the loopholes have been closed.
Because the vulnerabilities are built in before a user purchases the device, it is not really possible for the owner to do anything specific to eliminate the vulnerabilities. But it is essential that everyone know about the potential to have sensitive data hacked from a mobile device and use discretion when entering potentially sensitive material until these security risks have been fixed.