Have you recently bought a OnePlus 6? Don’t leave your phone unattended.
A serious vulnerability has been discovered in the OnePlus 6 bootloader that makes it possible for someone to boot arbitrary or modified images to take full admin control of your phone—even if the bootloader is locked.
A bootloader is part of the phone’s built-in firmware and locking it down stops users from replacing or modifying the phone’s operating system with any uncertified third-party ROMs, ensuring the system boots into the right operating system.
Discovered by security researcher Jason Donenfeld of Edge Security, the bootloader on OnePlus 6 is not entirely locked, allowing anyone to flash any modified boot image on to the handset and take full control of your phone.
— Edge Security (@EdgeSecurity) June 9, 2018
In a video demonstration, Donenfeld showed how it is possible for an attacker with physical access to OnePlus 6 to boot any malicious image using the ADB tool’s fastboot command, giving the attacker complete control over the device and its contents.
As you can see in the video, even USB debugging does not need to be turned on, which is usually required for messing around with smartphones. All an attacker needs to do is plug the target’s OnePlus 6 into their computer with a cable, restart the phone into Fastboot mode, and transfer over the modified boot image.
For this, the attacker requires physical and unsupervised access to the targeted OnePlus 6 device for only a few minutes.
OnePlus has acknowledged the issue and promised to release a software update shortly, providing the following statement:
“We take security seriously at OnePlus. We are in contact with the security researcher, and a software update will be rolling out shortly.”
So until the fix is rolled out, do not let your OnePlus 6 out of your sight. We will update this article as soon as we get more information on the security patch, which might be included in OxygenOS 5.1.7.
This isn’t the first time OnePlus has been caught in this situation. Late last year, a backdoor was discovered in OnePlus devices running OxygenOS that allowed anyone to obtain root access to the devices.