[Congressional Record (Bound Edition), Volume 158 (2012), Part 5]
[House]
[Page 7375]
[From the U.S. Government Publishing Office, www.gpo.gov]




                      IT AND SUPPLY CHAIN SECURITY

  (Mrs. MYRICK asked and was given permission to address the House for 
1 minute.)
  Mrs. MYRICK. I rise today in support of the supply-chain security 
language that Representative Turner included in his Strategic Forces 
Subcommittee section of the National Defense Authorization Act.
  Information technology procurement and supply-chain management 
continue to be a challenge for both the private sector and the Federal 
Government. Congress must continue to ensure that those entities have 
the resources and legal authority necessary to prevent certain 
companies from inserting potentially malicious equipment into various 
supply chains. The threats amplify when our public and private sectors 
consider Chinese State-owned and government-affiliated 
telecommunications companies as potential business partners.
  I would like to submit an article into the Record, Mr. Speaker, that 
demonstrates a recent concern about the ZTE Corporation. ZTE is a 
Chinese State-owned and -operated company.

                       [From ZDNet, May 15, 2012]

                  Backdoor Found in ZTE Android Phones

                            (By Michael Lee)

       Two mobile phones, developed by Chinese telecommunications 
     device manufacturer ZTE, have been found to carry a hidden 
     backdoor, which can be used to instantly gain root access 
     with a password, that has been hard-coded into the software.
       Android devices typically ship with the user unable to run 
     commands as the ``root user'', in order to protect customers 
     from any inadvertent damage they could cause, and to reduce 
     the chance of rogue applications taking complete control of 
     the device. However, following an anonymous post to Pastebin, 
     security researchers have found that ZTE has installed an 
     application on the Score M and the Skate mobile phones, which 
     make rooting these phones simple.
       The post said:
       ``There is a setuid-root [set user ID upon execution] 
     application at /system/bin/sync__agent that serves no 
     function besides providing a root shell backdoor on the 
     device. Just give the magic, hard-coded password to get a 
     root shell.''
       The phone is available in the US and the UK, amongst other 
     markets. While no telco in Australia appears to be selling 
     the Score M or Skate mobile phones outright, it is still 
     possible to purchase it online or through smaller firms. ZTE 
     has offices in Sydney and Melbourne, and is a supplier of a 
     large number of Telstra mobile phones, typically rebranded as 
     Telstra's own T- and F-series mobile phones. Telstra is aware 
     of the issue, and is in the process of testing its devices, 
     to determine if the backdoor exists on them.
       ``Our preliminary tests suggest that handsets supplied to 
     Telstra are unaffected by this issue. That said, we take 
     device security very seriously, and we are conducting more 
     extensive testing to confirm our initial findings. Should we 
     discover any issues, we will contact customers directly,'' 
     Telstra said in a statement.
       ZTE is also the company behind the Optus-branded MyTab 
     tablet, which runs Android.
       ZDNet Australia contacted Optus to comment on whether its 
     devices may be affected, but did not receive a response at 
     the time of writing.
       Although Vodafone sells ZTE-branded USB modems, it does not 
     sell any Android devices from ZTE in Australia.
       Former McAfee threat research vice president Dmitri 
     Alperovitch is a security researcher that has independently 
     verified the original claim, posting the password to the 
     hidden application on Twitter.

                          ____________________