Reuters – (National) ZTE confirms security hole in U.S. phone. ZTE, the world’s fourth-largest handset vendor and one of two Chinese companies under U.S. scrutiny over security concerns, said one of its mobile phone models sold in the United States contains a vulnerability researchers said could allow others to control the device. The hole affects ZTE’s Score model that runs on Google’s Android operating system. The hole, or backdoor, allows anyone with the hardwired password to access the affected phone, a researcher for cybersecurity firm CrowdStrike said. ZTE and Chinese telecommunications equipment manufacturer Huawei Technologies were stymied in their attempts to expand in the United States over concerns they are linked to the Chinese government, though both companies denied this. Most concerns centered on the fear of backdoors or other security vulnerabilities in telecommunications infrastructure equipment rather than in consumer devices. Reports of the ZTE vulnerability first surfaced the week of May 14 in an anonymous posting on a codesharing Web site. Since then, others alleged different ZTE models, including the Skate, also contain the vulnerability. The password is readily available online. ZTE said it confirmed the vulnerability on the Score phone, but denied it affected other models. The CrowdStrike researcher said his team analyzed the vulnerability and found the backdoor was deliberate because it was being used as a way for ZTE to update the phone’s software. It is a question, he said, of whether the purpose was malicious or just sloppy programming. While security researchers highlighted security holes in Android and other mobile operating systems, it is rare to find a vulnerability apparently inserted by the hardware manufacturer.
Ali Loney, on May 18, 2012