ZTE’s Score model that runs on Google’s Android operating system has a backdoor that allows anyone with the hardwired password to access the phone, noted security researcher Dimtri Alperovitch. The password is available online.
ZTE confirmed the vulnerability on the Score phone. "ZTE is actively working on a security patch and expects to send the update over-the-air to affected users in the very near future", ZTE said in a statement emailed to Reuters. "We strongly urge affected users to download and install the patch as soon as it is rolled out to their devices."
Alperovitch told the newswire that his team at CrowdStrike had researched the vulnerability and found that the backdoor was deliberate because it was being used as a way for ZTE to update the phone's software. "It could very well be that they're not very good developers or they could be doing this for nefarious purposes", he said.
Alperovitch said he had never seen a security vulnerability inserted by the hardware manufacturer before. "There are rumors about backdoors in Chinese equipment floating around. That's why it's so shocking to see it blatantly on a device", he told Reuters.