'Military Smartphones Are a Hacker’s Dream' Be careful if you have a military issued blackberry. Your Thoughts?

CPT Ahmed Faried — Mon, 09 Nov 2015 23:53:29 -0500

Telecom carriers and manufacturers are holding back critical software updates to the Pentagon’s supposedly secure phones, putting classified information at risk.
By Jeff Larson, ProPublica

You would think the nation’s military would move with lightning speed to patch cell phones vulnerable to hackers, particularly after recent disclosures that Chinese hackers harvested the personal information of 21.5 million U.S. government employees and Iran’s Revolutionary Guard broke into the Obama Administration’s social media accounts.

You would be wrong.

For nearly five months, military officials and officers have continued to use phones that can be attacked by the “Stagefright” bugs, a collection of flaws in the phones’ software code that gives attackers access to everything that flows through compromised devices. The bugs can expose those devices to hackers through a simple text message or a visit to the wrong web site.

We asked the various players in the supply chain that winds from phone makers, to Google to cell phone carriers to the Pentagon why the military’s devices were still vulnerable to the bugs. Not surprisingly, perhaps, everyone blamed someone other than themselves.

This much is clear. The problem arose because the military is now getting its cell phones from the same carriers and manufacturers that serve civilians. Several of them, including Verizon, AT&T, Sprint, and T-Mobile, have been slow to address the Stagefright vulnerabilities in the older model Android phones that are used by nearly 1,000 military officials and officers to discuss classified matters. While the federal government at large has a choice between those carriers, Verizon is the military’s carrier of choice within the United States.

Civilian customers simply upgrade their phones when a patch is released, but military users must wait until the Pentagon clears the fix.

In the fast-breaking world of hacking, such delays can be an eternity.

Since 2009, the nation’s military has been trying to protect its phone communications with a custom built, encrypted cell phone. The device took five years and $36 million to develop, but by the time it was ready for use, the carriers had upgraded to 4G networks with which it was incompatible. The phone was never widely used in any event; reportedly, it was so difficult to use, many officials left it on the shelf (PDF).

To fill the gap, the government struck a deal with Verizon, AT&T, and other carriers to use relatively cheap Android phones. The move will save almost $300 million for the federal government over the next few years.

Then, in June, a month before the revelation of the Stagefright bugs, the Pentagon announced it was cancelling its custom-built phone.

The move likely deprived late-night comedians of material about the Pentagon’s $4,700 cell phone (PDF). But it left the military’s non-battlefield communications entirely in the hands of the civilian carriers and cellphone manufacturers which deliver the patches when they decide it’s necessary.

Security experts told ProPublica that approach invites disaster.

Zuk Avraham, the chief technology officer of Zimperium, the cybersecurity company that discovered the Stagefright bug, told ProPublica that unpatched government phones are wide open to attacks by foreign governments or freelance hackers. “Devices that do not get upgraded are in great danger—especially government devices,” Avraham said.

Military officials insist that the phones are safe to use for classified conversations. If hackers have figured out a way to compromise a device through, say, its video text-messaging, officials simply turn off that feature.

Response by SGT Private RallyPoint Member made Nov 9 at 2015 11:57 PM

SGT Private RallyPoint Member — Mon, 09 Nov 2015 23:57:07 -0500

. . . Crapberry.

Response by CSM Michael J. Uhlig made Nov 10 at 2015 12:33 AM

CSM Michael J. Uhlig — Tue, 10 Nov 2015 00:33:01 -0500

When is the last time you've seen a fully functioning trackball blackberry? I spend a lot of time outside the country so I have a contract iPhone (personal phone) but for stateside, I still use my Sprint blackberry. I visited the Sprint Store the last time I was back home and the young guy slipped and laughed out loud - literally - when he saw it, he immediately apologized, adjusted his glasses and asked if the trackball still worked? (I've replaced the trackball three times over the years) It works! I am due for an upgrade from Sprint - any suggestions? (My wife says they are going to want to put this in the Sprint Museum!)

Response by Sgt Kelli Mays made Nov 10 at 2015 12:55 AM

Sgt Kelli Mays — Tue, 10 Nov 2015 00:55:46 -0500

Why doesn't the Military create their own cell phones? Their own brand? Their own carrier? and only Military personnel and or government officials can use these phone from the Military carriers on the Military network.

Why does the Military have to go through a civilian company?

Yep...I am aware, but is it the safest way...just like I tell my kids...you buy something cheap, you get what you paid for....but I understand the many moving parts to set up and maintain their own service.
What if they started it up....so they can have their secure lines, but to pay for it they can offer all military members and Veterans service too and a much lower cost that the major carriers are charging everyone, therefore being able to Frey some or most of the costs?

Response by MCPO Roger Collins made Nov 10 at 2015 10:35 AM

MCPO Roger Collins — Tue, 10 Nov 2015 10:35:32 -0500

Ask yourself why the military does not take precedence over the common smart phone user. This is just another example of bureaucratic government inefficiency. If the GSA can't write a contract to their suppliers to make DOD military purchased phones and services first on updates, they need to be replaced.

Response by 1SG Charles Hunter made Nov 11 at 2015 12:09 AM

1SG Charles Hunter — Wed, 11 Nov 2015 00:09:12 -0500

. . . "used by nearly 1,000 military officials and officers to discuss classified matters. . .?" If discussing classified matters on an unsecured wired phone is a court-martial offense, how is it okay to do so on a wireless phone?

Response by SGT(P) Private RallyPoint Member made Nov 11 at 2015 2:44 PM

SGT(P) Private RallyPoint Member — Wed, 11 Nov 2015 14:44:57 -0500

What was the name of the phone the government/military making or model? Also it is a good question with the now mobile technology what is acceptable risk and what is not? With using classified data on a mobile device what kind of preventative measures will be in place if it gets locked, lost, or plugged into a normal laptop for power as most people do?

Response by SCPO Joshua I made Feb 8 at 2016 11:00 PM

SCPO Joshua I — Mon, 08 Feb 2016 23:00:04 -0500

What? Blackberries are absolutely not approved for classified material.