Posted on Nov 9, 2015
'Military Smartphones Are a Hacker’s Dream' Be careful if you have a military issued blackberry. Your Thoughts?
10.5K
13
12
5
5
0
Telecom carriers and manufacturers are holding back critical software updates to the Pentagon’s supposedly secure phones, putting classified information at risk.
By Jeff Larson, ProPublica
You would think the nation’s military would move with lightning speed to patch cell phones vulnerable to hackers, particularly after recent disclosures that Chinese hackers harvested the personal information of 21.5 million U.S. government employees and Iran’s Revolutionary Guard broke into the Obama Administration’s social media accounts.
You would be wrong.
For nearly five months, military officials and officers have continued to use phones that can be attacked by the “Stagefright” bugs, a collection of flaws in the phones’ software code that gives attackers access to everything that flows through compromised devices. The bugs can expose those devices to hackers through a simple text message or a visit to the wrong web site.
We asked the various players in the supply chain that winds from phone makers, to Google to cell phone carriers to the Pentagon why the military’s devices were still vulnerable to the bugs. Not surprisingly, perhaps, everyone blamed someone other than themselves.
This much is clear. The problem arose because the military is now getting its cell phones from the same carriers and manufacturers that serve civilians. Several of them, including Verizon, AT&T, Sprint, and T-Mobile, have been slow to address the Stagefright vulnerabilities in the older model Android phones that are used by nearly 1,000 military officials and officers to discuss classified matters. While the federal government at large has a choice between those carriers, Verizon is the military’s carrier of choice within the United States.
Civilian customers simply upgrade their phones when a patch is released, but military users must wait until the Pentagon clears the fix.
In the fast-breaking world of hacking, such delays can be an eternity.
Since 2009, the nation’s military has been trying to protect its phone communications with a custom built, encrypted cell phone. The device took five years and $36 million to develop, but by the time it was ready for use, the carriers had upgraded to 4G networks with which it was incompatible. The phone was never widely used in any event; reportedly, it was so difficult to use, many officials left it on the shelf (PDF).
To fill the gap, the government struck a deal with Verizon, AT&T, and other carriers to use relatively cheap Android phones. The move will save almost $300 million for the federal government over the next few years.
Then, in June, a month before the revelation of the Stagefright bugs, the Pentagon announced it was cancelling its custom-built phone.
The move likely deprived late-night comedians of material about the Pentagon’s $4,700 cell phone (PDF). But it left the military’s non-battlefield communications entirely in the hands of the civilian carriers and cellphone manufacturers which deliver the patches when they decide it’s necessary.
Security experts told ProPublica that approach invites disaster.
Zuk Avraham, the chief technology officer of Zimperium, the cybersecurity company that discovered the Stagefright bug, told ProPublica that unpatched government phones are wide open to attacks by foreign governments or freelance hackers. “Devices that do not get upgraded are in great danger—especially government devices,” Avraham said.
Military officials insist that the phones are safe to use for classified conversations. If hackers have figured out a way to compromise a device through, say, its video text-messaging, officials simply turn off that feature.
By Jeff Larson, ProPublica
You would think the nation’s military would move with lightning speed to patch cell phones vulnerable to hackers, particularly after recent disclosures that Chinese hackers harvested the personal information of 21.5 million U.S. government employees and Iran’s Revolutionary Guard broke into the Obama Administration’s social media accounts.
You would be wrong.
For nearly five months, military officials and officers have continued to use phones that can be attacked by the “Stagefright” bugs, a collection of flaws in the phones’ software code that gives attackers access to everything that flows through compromised devices. The bugs can expose those devices to hackers through a simple text message or a visit to the wrong web site.
We asked the various players in the supply chain that winds from phone makers, to Google to cell phone carriers to the Pentagon why the military’s devices were still vulnerable to the bugs. Not surprisingly, perhaps, everyone blamed someone other than themselves.
This much is clear. The problem arose because the military is now getting its cell phones from the same carriers and manufacturers that serve civilians. Several of them, including Verizon, AT&T, Sprint, and T-Mobile, have been slow to address the Stagefright vulnerabilities in the older model Android phones that are used by nearly 1,000 military officials and officers to discuss classified matters. While the federal government at large has a choice between those carriers, Verizon is the military’s carrier of choice within the United States.
Civilian customers simply upgrade their phones when a patch is released, but military users must wait until the Pentagon clears the fix.
In the fast-breaking world of hacking, such delays can be an eternity.
Since 2009, the nation’s military has been trying to protect its phone communications with a custom built, encrypted cell phone. The device took five years and $36 million to develop, but by the time it was ready for use, the carriers had upgraded to 4G networks with which it was incompatible. The phone was never widely used in any event; reportedly, it was so difficult to use, many officials left it on the shelf (PDF).
To fill the gap, the government struck a deal with Verizon, AT&T, and other carriers to use relatively cheap Android phones. The move will save almost $300 million for the federal government over the next few years.
Then, in June, a month before the revelation of the Stagefright bugs, the Pentagon announced it was cancelling its custom-built phone.
The move likely deprived late-night comedians of material about the Pentagon’s $4,700 cell phone (PDF). But it left the military’s non-battlefield communications entirely in the hands of the civilian carriers and cellphone manufacturers which deliver the patches when they decide it’s necessary.
Security experts told ProPublica that approach invites disaster.
Zuk Avraham, the chief technology officer of Zimperium, the cybersecurity company that discovered the Stagefright bug, told ProPublica that unpatched government phones are wide open to attacks by foreign governments or freelance hackers. “Devices that do not get upgraded are in great danger—especially government devices,” Avraham said.
Military officials insist that the phones are safe to use for classified conversations. If hackers have figured out a way to compromise a device through, say, its video text-messaging, officials simply turn off that feature.
Posted 9 y ago
Responses: 7
Why doesn't the Military create their own cell phones? Their own brand? Their own carrier? and only Military personnel and or government officials can use these phone from the Military carriers on the Military network.
Why does the Military have to go through a civilian company?
Yep...I am aware, but is it the safest way...just like I tell my kids...you buy something cheap, you get what you paid for....but I understand the many moving parts to set up and maintain their own service.
What if they started it up....so they can have their secure lines, but to pay for it they can offer all military members and Veterans service too and a much lower cost that the major carriers are charging everyone, therefore being able to Frey some or most of the costs?
Why does the Military have to go through a civilian company?
Yep...I am aware, but is it the safest way...just like I tell my kids...you buy something cheap, you get what you paid for....but I understand the many moving parts to set up and maintain their own service.
What if they started it up....so they can have their secure lines, but to pay for it they can offer all military members and Veterans service too and a much lower cost that the major carriers are charging everyone, therefore being able to Frey some or most of the costs?
(2)
(0)
Sgt Kelli Mays
PO1 Andrew Gardiner Yep...I am aware, but is it the safest way...just like I tell my kids...you buy something cheap, you get what you paid for....but I understand the many moving parts to set up and maintain their own service.
What if they started it up....so they can have their secure lines, but to pay for it they can offer all military members service too and a much lower cost that the major carriers are charging everyone, therefore being able to Frey some or most of the costs?
What if they started it up....so they can have their secure lines, but to pay for it they can offer all military members service too and a much lower cost that the major carriers are charging everyone, therefore being able to Frey some or most of the costs?
(0)
(0)
PO1 (Join to see)
the risk of having the capability of both cloning and hacking into a cell phone in general is too high. Even if they were govt. issued, it's still poses too high.
(0)
(0)
. . . "used by nearly 1,000 military officials and officers to discuss classified matters. . .?" If discussing classified matters on an unsecured wired phone is a court-martial offense, how is it okay to do so on a wireless phone?
(1)
(0)
When is the last time you've seen a fully functioning trackball blackberry? I spend a lot of time outside the country so I have a contract iPhone (personal phone) but for stateside, I still use my Sprint blackberry. I visited the Sprint Store the last time I was back home and the young guy slipped and laughed out loud - literally - when he saw it, he immediately apologized, adjusted his glasses and asked if the trackball still worked? (I've replaced the trackball three times over the years) It works! I am due for an upgrade from Sprint - any suggestions? (My wife says they are going to want to put this in the Sprint Museum!)
(1)
(0)
Read This Next