Tuesday, May 15, 2012

Chinese-made smartphones include lovely bezel design and a backdoor into all your data, but mostly a backdoor into all your data

The People's Republic of China (or PRC) is a land rife with slave labor, pollution, intellectual property theft, and repression of religion. In other words, it's Thomas Friedman's (pronounced: fried-man's) ideal society.

And the cyberwar that the PRC (or, rather, the People's Liberation Army or PLA) is waging worldwide, much of it against American assets, continues apace, unremarked upon by the President, his sycophants or the State Department.

Exhibit 9 million: A lovely backdoor installed on Chinese-made smartphones:

The ZTE Score M is an Android 2.3.4 (Gingerbread) phone available in the United States on MetroPCS, made by Chinese telecom ZTE Corporation.

There is a setuid-root application at /system/bin/sync_agent that serves no function besides providing a root shell backdoor on the device. Just give the magic, hard-coded password to get a root shell:

$ sync_agent ztex1609523
# id
uid=0(root) gid=0(root)

Nice backdoor, ZTE.

darn, geek.com says it is real.....

If anyone reading this owns a ZTE Score M Android smartphone, your device has been found to include a backdoor allowing root access without user authentication.
The discovery of the backdoor comes via a post on the text storage website Pastebin. It has since been confirmed via Reddit by Justin Case of Cunning Logic and TeamAndIRC. He has confirmed with someone at ZTE that the backdoor does indeed exist and that a fix is in the works.

Oh look, we'll just make a master key!  You locked that door?  :-)
Nice guys, nice.... oh and ZTE makes more than phones -- they're the 5th largest telecommunications manufacturer in the world. 

It's imperative that more Americans become aware of the danger to our information infrastructure posed by the PLA. I, for one, would be hard-pressed to trust any technology made in the PRC.

And that's a lesson that many companies have learned the hard way.

No comments: