'Military Smartphones Are a Hacker’s Dream' Be careful if you have a military issued blackberry. Your Thoughts?

Telecom carriers and manufacturers are holding back critical software updates to the Pentagon’s supposedly secure phones, putting classified information at risk.
By Jeff Larson, ProPublica

You would think the nation’s military would move with lightning speed to patch cell phones vulnerable to hackers, particularly after recent disclosures that Chinese hackers harvested the personal information of 21.5 million U.S. government employees and Iran’s Revolutionary Guard broke into the Obama Administration’s social media accounts.

You would be wrong.

For nearly five months, military officials and officers have continued to use phones that can be attacked by the “Stagefright” bugs, a collection of flaws in the phones’ software code that gives attackers access to everything that flows through compromised devices. The bugs can expose those devices to hackers through a simple text message or a visit to the wrong web site.

We asked the various players in the supply chain that winds from phone makers, to Google to cell phone carriers to the Pentagon why the military’s devices were still vulnerable to the bugs. Not surprisingly, perhaps, everyone blamed someone other than themselves.

This much is clear. The problem arose because the military is now getting its cell phones from the same carriers and manufacturers that serve civilians. Several of them, including Verizon, AT&T, Sprint, and T-Mobile, have been slow to address the Stagefright vulnerabilities in the older model Android phones that are used by nearly 1,000 military officials and officers to discuss classified matters. While the federal government at large has a choice between those carriers, Verizon is the military’s carrier of choice within the United States.

Civilian customers simply upgrade their phones when a patch is released, but military users must wait until the Pentagon clears the fix.

In the fast-breaking world of hacking, such delays can be an eternity.

Since 2009, the nation’s military has been trying to protect its phone communications with a custom built, encrypted cell phone. The device took five years and $36 million to develop, but by the time it was ready for use, the carriers had upgraded to 4G networks with which it was incompatible. The phone was never widely used in any event; reportedly, it was so difficult to use, many officials left it on the shelf (PDF).

To fill the gap, the government struck a deal with Verizon, AT&T, and other carriers to use relatively cheap Android phones. The move will save almost $300 million for the federal government over the next few years.

Then, in June, a month before the revelation of the Stagefright bugs, the Pentagon announced it was cancelling its custom-built phone.

The move likely deprived late-night comedians of material about the Pentagon’s $4,700 cell phone (PDF). But it left the military’s non-battlefield communications entirely in the hands of the civilian carriers and cellphone manufacturers which deliver the patches when they decide it’s necessary.

Security experts told ProPublica that approach invites disaster.

Zuk Avraham, the chief technology officer of Zimperium, the cybersecurity company that discovered the Stagefright bug, told ProPublica that unpatched government phones are wide open to attacks by foreign governments or freelance hackers. “Devices that do not get upgraded are in great danger—especially government devices,” Avraham said.

Military officials insist that the phones are safe to use for classified conversations. If hackers have figured out a way to compromise a device through, say, its video text-messaging, officials simply turn off that feature.