An independent security researcher said that the code he discovered in a processor made by the Taiwan-based manufacturer MediaTek is a “backdoor.” After he noted that the chip maker does not have a standard bug-reporting protocol, Justin Case announced his discovery via Twitter.
The researcher tweeted about the bug, posting, “So MediaTek broke basic security features to have this backdoor work. Readonly properties are NOT read only!”
The bug affects devices running Android 4.4 KitKat and was described by MediaTek as a de-bugging feature that was “created for telecommunication inter-operability testing in China,” according to NDTV. The company spokesperson stated in an email to NDTV that the “feature” was intended to be removed by phone manufacturers.
The Chinese company asked Case via Twitter to notify their Product Security Taskforce through “PM” (stet). Then the security researcher replied that he would continue to tweet about vulnerabilities publicly until MediaTek established a standard bug-reporting method.
When asked on Twitter why MediaTek did not have a proper bug-reporting route, a reply from the company's Twitter account noted, “We're assessing how to garner users' feedback in a more formal manner and will get back to you. Cheers.”
At press time MediaTek had not replied to emails from SCMagazine.com seeking comment about the vulnerability.