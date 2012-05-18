May 18 ZTE Corp , the
world's No.4 handset vendor and one of two Chinese companies
under U.S. scrutiny over security concerns, said one of its
mobile phone models sold in the United States contains a
vulnerability that researchers say could allow others to control
the device.
The hole affects ZTE's Score model that runs on Google Inc's
Android operating system and was described by one
researcher as "highly unusual."
"I've never seen it before," said Dmitri Alperovitch,
co-founder of cybersecurity firm, CrowdStrike. The hole, usually
called a backdoor, allows anyone with the hardwired password to
access the affected phone, he added.
ZTE and fellow Chinese telecommunications equipment
manufacturer, Huawei Technologies Co Ltd, have been
stymied in their attempts to expand in the United States over
concerns they are linked to the Chinese government, though both
companies have denied this.
Most such concerns have centred on the fear of backdoors or
other security vulnerabilities in telecommunications
infrastructure equipment rather than in consumer devices.
Last month a U.S. congressional panel singled out Huawei and
ZTE by approving a measure designed to search and clear the U.S.
nuclear-weapons complex of any technology produced by the two
companies.
Reports of the ZTE vulnerability first surfaced this week in
an anonymous posting on the code-sharing website, pastebin.com.
Others have since alleged that other ZTE models, including the
Skate, also contain the vulnerability. The password is readily
available online.
ZTE said it had confirmed the vulnerability on the Score
phone, but denied it affected other models.
"ZTE is actively working on a security patch and expects to
send the update over-the-air to affected users in the very near
future," ZTE said in an emailed statement. "We strongly urge
affected users to download and install the patch as soon as it
is rolled out to their devices."
Alperovitch said his team had researched the vulnerability
and found that the backdoor was deliberate because it was being
used as a way for ZTE to update the phone's software. It is a
question, he said, of whether the purpose was malicious or just
sloppy programming.
"It could very well be that they're not very good developers
or they could be doing this for nefarious purposes," he said.
While security researchers have highlighted security holes
in Android and other mobile operating systems, it is rare to
find a vulnerability apparently inserted by the hardware
manufacturer.
"I have never seen this before. There are rumours about
backdoors in Chinese equipment floating around," Alperovitch
said. "That's why it's so shocking to see it blatantly on a
device."
A Google spokesman declined to comment.
(Reporting by Jeremy Wagstaff and; Lee Chyen Yee; Editing by
Matt Driskill)