Research funded by the Department of Homeland Security has found a “slew” of vulnerabilities in mobile devices offered by the four major U.S. cell phone carriers, including loopholes that may allow a hacker to gain access to a user’s data, emails, text messages without the owner’s knowledge.

The flaws allow a user “to escalate privileges and take over the device,” Vincent Sritapan, a program manager at the Department of Homeland Security’s Science and Technology Directorate told Fifth Domain during the Black Hat conference in Las Vegas.

The vulnerabilities are built into devices before a customer purchases the phone. Researchers said it is not clear if hackers have exploited the loophole yet.

Department of Homeland Security officials declined to say which manufacturers have the underlying vulnerabilities.

Millions of users in the U.S. are likely at risk, a source familiar with the research said, although the total number is not clear.

Because of the size of the market, it is likely that government officials are also at risk. The vulnerabilities are not limited to the U.S.

Researchers are expected to announce more details about the flaws later in the week.

Sritapan said the vulnerabilities have been found in devices used by the four major carriers, which include Verizon, AT&T, T-Mobile, and Sprint. Other carriers are using the flawed devices as well, he said.

The research was conducted by Kryptowire, a Virginia-based mobile security firm and funded through the Critical Infrastructure Resilience Institute, a Department of Homeland Security research center.

“This is something that can target individuals without their knowledge,” Angelos Stavrou, the founder of Kryptowire told Fifth Domain. He said it was difficult to tell if, and how, the vulnerability has been exploited. These vulnerabilities “are burrowed deep inside the operating system.”

Stavrou said that manufacturers were notified of the flaws as early as February. However, some manufacturers did not publish their vulnerability disclosure process, and the researchers were initially not sure if the device makers had received the disclosure because Kryptowire did not receive a reply, Stavrou said. He said all manufacturers are now aware of the vulnerabilities.

The research was spurred by vulnerabilities Kryptowire discovered in the Blu phone company. There, sensitive data was collected and and transmitted to a third party without users knowledge.

Justin Lynch is the Associate Editor at Fifth Domain. He has written for the New Yorker, the Associated Press, Foreign Policy, the Atlantic, and others. Follow him on Twitter @just1nlynch.

More In Cyber