ZTE confirms security hole in U.S. phone

Fri May 18, 2012 3:07am EDT

Employees of ZTE chat on the roof of its headquarters in Shenzhen, Guangdong province, April 17, 2012. REUTERS/Tyrone Siu

Employees of ZTE chat on the roof of its headquarters in Shenzhen, Guangdong province, April 17, 2012.

Credit: Reuters/Tyrone Siu

Related Topics

(Reuters) - ZTE Corp, the world's No.4 handset vendor and one of two Chinese companies under U.S. scrutiny over security concerns, said one of its mobile phone models sold in the United States contains a vulnerability that researchers say could allow others to control the device.

The hole affects ZTE's Score model that runs on Google Inc's Android operating system and was described by one researcher as "highly unusual."

"I've never seen it before," said Dmitri Alperovitch, co-founder of cybersecurity firm, CrowdStrike. The hole, usually called a backdoor, allows anyone with the hardwired password to access the affected phone, he added.

ZTE and fellow Chinese telecommunications equipment manufacturer, Huawei Technologies Co Ltd, have been stymied in their attempts to expand in the United States over concerns they are linked to the Chinese government, though both companies have denied this.

Most such concerns have centered on the fear of backdoors or other security vulnerabilities in telecommunications infrastructure equipment rather than in consumer devices.

Last month a U.S. congressional panel singled out Huawei and ZTE by approving a measure designed to search and clear the U.S. nuclear-weapons complex of any technology produced by the two companies.

Reports of the ZTE vulnerability first surfaced this week in an anonymous posting on the code-sharing website, pastebin.com. Others have since alleged that other ZTE models, including the Skate, also contain the vulnerability. The password is readily available online.

ZTE said it had confirmed the vulnerability on the Score phone, but denied it affected other models.

"ZTE is actively working on a security patch and expects to send the update over-the-air to affected users in the very near future," ZTE said in an emailed statement. "We strongly urge affected users to download and install the patch as soon as it is rolled out to their devices."

Alperovitch said his team had researched the vulnerability and found that the backdoor was deliberate because it was being used as a way for ZTE to update the phone's software. It is a question, he said, of whether the purpose was malicious or just sloppy programming.

"It could very well be that they're not very good developers or they could be doing this for nefarious purposes," he said.

While security researchers have highlighted security holes in Android and other mobile operating systems, it is rare to find a vulnerability apparently inserted by the hardware manufacturer.

"I have never seen this before. There are rumors about backdoors in Chinese equipment floating around," Alperovitch said. "That's why it's so shocking to see it blatantly on a device."

A Google spokesman declined to comment.

(Reporting by Jeremy Wagstaff and; Lee Chyen Yee; Editing by Matt Driskill)

FILED UNDER:
We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (2)
LBK2 wrote:
Is there any information regarding the strength of the owners using password sign on, being effective at controlling this?

May 18, 2012 10:15am EDT  --  Report as abuse
CountryPride wrote:
Is anyone naive enough to believe any Chinese electronic component is not full of security holes? They are flooding our markets and trying to monopolize our supply chains in order to make sure their counterfeit and faulty products make it into our government and military for espionage and sabotage.

May 18, 2012 11:45am EDT  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.