Department of Homeland Security funded research has found that phones sold by Chinese telecommunications firm ZTE are among those to have manufacturing vulnerabilities that allow a hacker to gain access to a user’s data, emails and text messages, Fifth Domain has learned.
“ZTE has already delivered and/or is working with carriers today to deliver the maintenance releases that fix these identified issues,” Andrew Elliot, a spokesman for ZTE told Fifth Domain in an email Aug. 9.
The Trump administration banned U.S. firms from doing business with ZTE in April because the company violated U.S. sanctions against North Korea and Iran, but then lifted restrictions with the phone manufacturer in July. ZTE was the fourth largest seller of mobile phones in the U.S. with a market share of 12.2 percent, the company said in September 2017. U.S. senators have described the firm as “a significant threat to U.S. security.”
Fifth Domain reported earlier this week that research funded by the Department of Homeland Security’s Science and Technology Directorate has found a “slew” of vulnerabilities in millions of mobile devices offered by U.S. cell phone carriers. The research is expected to be formally announced during the Black Hat conference in Las Vegas Aug. 10.
The manufacturing flaws may allow a hacker to gain access to a user’s data without the owner’s knowledge. The vulnerabilities are built into the phones before it is sold to the customer. It is unknown if hackers have exploited the loophole.
Although the Department of Homeland Security declined to identify which companies had the vulnerabilities, ZTE is the first manufacturer to acknowledge the flaws.
Elliot said ZTE was aware of the manufacturing bug. It is not clear when the company realized the flaw nor is it known if ZTE was first informed of the vulnerability because of the Homeland Security backed research.
The company did not immediately respond to follow-up questions regarding the number of ZTE phones that were vulnerable and when the company expects the patches to be complete.
In July, President Donald Trump lifted a ban on U.S. companies doing business with ZTE. Trump’s action effectively allowed ZTE to survive because the Chinese firm relies on U.S. parts and software.
Trump then lifted sanctions on ZTE “as a personal favor to the president of China as a way of showing some goodwill for bigger efforts,” White House trade adviser Peter Navarro told Fox News June 10.
“President Xi of China, and I, are working together to give massive Chinese phone company, ZTE, a way to get back into business, fast,” Trump tweeted May 13. “Too many jobs in China lost. Commerce Department has been instructed to get it done!”
The sanctions were first placed on ZTE in April because it violated U.S. sanctions against North Korea and Iran. As a condition of allowing U.S. firms to do business with ZTE, the Chinese company was required to pay a $1 billion fine and place $400 million in escrow.
Spokespeople for the Department of Commerce and Department of Homeland Security did not immediately reply to emailed questions about the sanctions.
"It’s not surprising that one vulnerability would affect more than one manufacturer and carrier because hardware and software are often shared,” Mark Orlando, chief technology officer of cyber at Raytheon told Fifth Domain. “If there is a software or firmware update, apply it. Don’t just let it languish.”
In June, Sens. Mark Warner, D-Va., and Marco Rubio, R-Fla., said that ZTE is a “significant threat to our national security.”
A 2012 House intelligence report singled out ZTE and Chinese telecommunications company Huawei for their vulnerabilities.
“Huawei and ZTE cannot be trusted to be free of foreign state influence and thus pose a security threat to the United States and to our systems.”
Justin Lynch is the Associate Editor at Fifth Domain. He has written for the New Yorker, the Associated Press, Foreign Policy, the Atlantic, and others. Follow him on Twitter @just1nlynch.