ZTE has confirmed that one of its Android-based smartphones contains a backdoor that could allow an intruder to gain full control of the device. Revealed through Pastebin on May 10, the Score M has a built-in hole to supply root access with a hardcoded password, which is readily available online. The device runs Android 2.3.4 Gingerbread and is sold as an entry-level smartphone through MetroPCS in the US.
It's unclear if any other handsets are affected, though ZTE denied rumors about the hole existing in its Skate handset (first released in China, sold in Europe as the "Orange Monte Carlo"). The company hasn't explained why the Score's backdoor exists, dismissing it as a "technical defect." "ZTE takes customer privacy very seriously and makes every effort to ensure personal data is safe from unauthorized access."
The Chinese handset maker reassured customers that it takes privacy "very seriously" and promises to release an over-the-air patch before May 31. The nature of the backdoor remains -- and will likely forever remain -- open to debate. The hole surprised expert and co-founder of CrowdStrike, Dmitri Alperovitch.
"It could very well be that they're not very good developers or they could be doing this for nefarious purposes," he told Reuters Friday. "I have never seen this before. There are rumors about backdoors in Chinese equipment floating around," Alperovitch said. "That's why it's so shocking to see it blatantly on a device."
"The backdoor on the phone is used by ZTE to install/uninstall various apps on the phone, but that is a perverted way to accomplish this task. There are legitimate and Google-supported APIs for doing the same thing that don't introduce any security risk to the phone," Alperovitch told PCMag in a separate statement.
ZTE has been the subject of similar controversies. In 2010, it was reported that the Chinese company inked a $130.6 million contract with Iranian telecom giant TCI, supplying the firm with, among other technology, "a powerful surveillance system capable of monitoring landline, mobile and Internet communications."