Allwinner are a Chinese based company that supply the processor to many low-end Android tablets, and many other devices including ARM-based PC’s, including the Jide Remix laptop, and even some set-top boxes. The significance of this relatively low-profile company in the Android sphere is that it apparently shipped a version of its Linux kernel with a backdoor built-in to those devices; not just any backdoor, but an incredibly easy to access backdoor, one that can be exploited by simply sending the text “rootmydevice” to the sunxi_debug process.

Information concerning the backdoor was supposedly published to Allwinner’s Github account and then quickly deleted and has come under some scrutiny from the community over its lack of community development and even accused of violations of the GPL license. The purpose of this backdoor is obviously meant for debugging but somehow ended up in the code found in final commercial-ready devices using AllWinner chips.

Allwinner’s kernel, linux-3.4-sunxi, was originally developed to support Android on the company’s ARM processors for tablets but has also been used to develop a community version and even as the basis for porting over a variety of versions of Linux to Allwinner’s processors. These are used in Orange Pi and Banana Pi micro-PC’s to name a few and so these devices would reportedly include this undocumented unsecured backdoor. The code is included within the kernel with non-conditional flags, meaning it can’t even be removed.

Consequently, any device running the Allwinner chip can pass the phrase to the process to gain root on their device, but the worrying part is the ease in which this can be exploited and also why it wasn’t documented. As previously mentioned, these chips are typically found in lower-end Android devices, which one can argue given the price point of these tablets won’t be subject to the same security consideration or scrutiny as a premium tablet, but Allwinner’s kernel extends far beyond lower cost tablets.

Drop us a comment and let us know what you think: If you owned a device with such an easy backdoor to exploit, would it worry you?