New vulnerabilities that affect millions of smartphone users in the U.S. alone have now been reported by the Department of Homeland Security (DHS) at this year’s Black Hat USA 2018 conference. The news follows DHS-funded research conducted by Kryptowire, with manufacturers of the devices receiving notification of the problem back in February. The flaws themselves allow a malicious entity to escalate device privileges on affected mobile phones. That effectively grants control over a device and, by proxy, access to everything from emails and text messages to sensitive user data. They also affect handsets sold at every major carrier. The vulnerabilities are embedded “deep inside the operating system” of impacted handsets which creates even more challenges for researchers. Specifically, the nature of the vulnerabilities is such that discovering whether or not they have been exploited is difficult. In fact, the user would almost certainly have no knowledge at all that a leak had occurred. As a result of that, Kryptowire has still not determined whether or not any attacks have taken place or any user data has been stolen, as of this writing.
With regard to the manufacturers themselves, there’s currently no way of knowing exactly what smartphones or OEMs are affected. Neither the DHS or Kryptowire has elected to identify which of mobile OEMs or component manufacturers technologies are under threat from the vulnerabilities. The mobile enterprise security firm does indicate that all of the cell phone makers have now been made aware of the flaws in their devices. However, it also reports that it didn’t receive an immediate response from several OEMs after the vulnerabilities were discovered and those companies did not publish vulnerability disclosures upon being contacted. So it’s not clear how seriously those manufacturers are taking the threat. Meanwhile, no clarification has been provided with regard to whether any of those companies have issued fixes for any of the newly discovered issues.
Further information about the vulnerabilities and their predicted impact is expected to be revealed at some point over the coming weeks. In the meantime, although the vulnerabilities might affect millions, an exact number is not currently known. There’s nothing about the flaws which limits the scope of their use against devices on mobile providers in the U.S. That means there are potentially millions of smartphone users around the globe who may have been at risk since before the start of 2018.