Chinese ARM Processors Have A Backdoor

Allwinner-chipFile this under Not Surprised.

One of the problems with sending all our technology manufacturing jobs to foreign countries in order to produce less expensive goods is that some of these countries are not necessarily our best buddies.  With some of them we might have what you would call “trust issues.”

Recently The Hacker News released an article about how a Chinese manufacturer of ARM processors (Allwinner sun8i for A83T, H3, or H3 processors) used in popular Android phone products, and several variations of the Pi hacker boards (Banana Pi, Orange Pi) have a backdoor embedded in them.  The Chinese claim is that this backdoor was inadvertently left in by developers who used it in the debugging process.  Sure, its possible.  Or maybe they meant to leave the backdoors in.

If we hadn’t already dealt with this issue in the routers manufactured in China for Juniper Networks, reported here in February (Perils From The Edge – Insecure Routers), I might be more inclined to give them the benefit of the doubt.  As it is, I am suspicious.  As an Android phone user, I am not pleased.  According to the article, “This security hole is currently present in every operating system image for A83T, H3 or H8 devices that rely on kernel 3.4”  You can Google the specs for your phone model to see if it is affected.  Fortunately for me, my LG G4 VS986 appears to be using a different processor.

 

0

About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Senior Cybersecurity Engineer at Computer Integration Technologies, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment