The U.S. military has spent the past five months allowing officials and officers to discuss classified matters on cell phones that are vulnerable to hackers.

Almost 1,000 members of the military were given cell phones that operate on an older version of Android that needs a security patch for “Stagefright” bugs, “a collection of flaws in the phones’ software code that gives attackers access to everything that flows through compromised devices,” according to ProPublica. The phones can be compromised via text message sent by hackers or if users visit an infected website.

“Devices that do not get upgraded are in great danger — especially government devices,” Zuk Avraham, the chief technology officer of Zimperium, the cyber-security company that discovered the Stagefright bug, told ProPublica.

The phones are similar to those used by civilians who contract with Verizon, AT&T, Sprint and T-Mobile for their service. The military deals with Verizon within the United States.

Getting security patches installed in the phones takes longer for military phones than it does for civilian-owned models. “Civilian customers simply upgrade their phones when a patch is released, but military users must wait until the Pentagon clears the fix,” Jeff Larson wrote at ProPublica.

The military takes the stopgap measure of turning off features in the phones that allow viruses to spread. When the patch is installed on the phones, those features are reactivated.

The military attempted to develop a mobile phone that would be safe from hacking but by the time it was developed, it was incompatible with the 4G networks coming online.

-Noel Brinkerhoff, Steve Straehley

To Learn More:

Telecoms, Manufacturers Delaying Critical Patches for Classified Military Smartphones (by Jeff Larson, ProPublica)

Pentagon Personnel Now Talking on ‘NSA-Proof’ Smartphones (NextGov)

Security is Lax for U.S. Army Smart Phones and Tablets (by Noel Brinkerhoff, AllGov)