Chinese Mobile Phone has Backdoor Hole

Monday, May 21, 2012 @ 03:05 PM gHale


Handset maker ZTE Corp. said one of its mobile phone models sold in the United States contains a vulnerability researchers said could allow others to control the device.

The hole affects ZTE’s Score model that runs on Google Inc’s Android operating system and one researcher described it as “highly unusual.”

RELATED STORIES
Power Stations feel Backdoor Heat
Unpatched PHP Bug Hit
Oracle Flaw PoC Releases by Mistake
A+ Discovery: Student Finds Zero Day

ZTE is the world’s No.4 handset vendor and one of two Chinese companies under U.S. scrutiny over security concerns.

“I’ve never seen it before,” said Dmitri Alperovitch, co-founder of cyber security firm, CrowdStrike. The backdoor allows anyone with the hardwired password to access the affected phone, he said.

ZTE and fellow Chinese telecommunications equipment manufacturer, Huawei Technologies Co Ltd, are having a difficult time expanding into the United States market because of concerns they have links to the Chinese government. The two companies deny the claims.

The concerns center on the fear of backdoors or other security vulnerabilities in telecommunications infrastructure equipment rather than in consumer devices.

Last month a U.S. congressional panel singled out Huawei and ZTE by approving a measure designed to search and clear the U.S. nuclear-weapons complex of any technology produced by the two companies.

Reports of the ZTE vulnerability first surfaced this week in an anonymous posting on the code-sharing website, pastebin.com. Others have since said other ZTE models, including the Skate, also contain the vulnerability. The password is readily available online.
ZTE said it had confirmed the vulnerability on the Score phone, but denied it affected other models.

“ZTE is actively working on a security patch and expects to send the update over-the-air to affected users in the very near future,” ZTE said. “We strongly urge affected users to download and install the patch as soon as it is rolled out to their devices.”

Alperovitch said his team had researched the vulnerability and found the backdoor was deliberate because ZTE was using it to update the phone’s software. It is a question, he said, of whether the purpose was malicious or just sloppy programming.



Leave a Reply

You must be logged in to post a comment.